You can trust us with your most private information — May 4, 2009

“The Virginia Department of Health Professions is currently experiencing technical difficulties which affect computer and email systems. We apologize for any inconvenience this may cause.”

“We hope this information is helpful to you and we sincerely regret any inconvenience this may cause you.” — H. Alan Rosenberg, LexisNexis Vice President, Investigations and Incident Response

Last Monday, 8,257,378 patient records and 35 million prescriptions were reported as stolen from the Virginia Dept. of Health Professions. An extortion note was posted on WikiLeaks, an online clearing house for leaked documents, demanding $10 million to return the prescription records to the State. Patients who went to the Virginia State website used by pharmacists, found the site down with the above “technical difficulties” message.

This didn’t make much news, perhaps because that would have meant it was news.

But security breaches of electronic records have become commonplace, as have extortion demands like this, reported InformationWeek. Last October, for instance, we watched as the pharmacy benefit manager, Express Scripts, received a similar extortion letter threatening to release millions of patient records unless the company ponied up. And last December, Cedar-Sinai hadn’t even been aware that its electronic medical records had been stolen and were being used for fraud, until hospital officials were alerted by prosecutors.

The same day news of the Virginia Dept. of Health Professions security breach came out, some 32,000 people received a letter from LexisNexis (I can show you mine), telling them that their sensitive personally identifiable information had been breached and that it had been contacted by the United States Postal Inspection Service (USPIS) about an ongoing investigation into alleged credit card fraud perpetrated by former customers of LexisNexis. The unauthorized use of customers’ personal information occurred between “June 14, 2004, and October 10, 2007, and the information accessed may have included your name, date of birth, and/or social security number.” People were just being notified that their personal information had been compromised two to five years later, and after up to 300 people had been victimized by a fraudulent credit card scheme that racked up charges on their credit cards, as well as set up fake credit cards in their names. CBS News reported that it’s linked to a Nigerian Scam artist.

This wasn’t the first security breach by people operating businesses with LexisNexis or its ChoicePoint customers, either. LexisNexis had disclosed in 2005 that hackers had gained access to the personal information on 32,000 people in its database. ChoicePoint is a spin-off of Equifax and had been acquired by LexisNexis in 2008. It also has a history of data security laxes and had gotten in trouble with the federal government in 2005 for selling reports on about 160,000 customers to identity thieves. ChoicePoint settled with the FTC and paid fines of $10 million in civil penalties and $5 million in consumer redress.

In fact, the problem of securing private information is growing dramatically, according to Identity Theft Resource Center^®, a nonprofit organization dedicated to education and prevention of identity theft. The number of cases of data security breaches in 2008 were 656 — a 47% increase over the 446 in 2007. And that represented a three-fold increase over 2005, when there were 158 incidences, affecting more than 64.8 million people. The problem is growing worse, not better.

According to the ITRC, nearly a quarter of breaches (24.5%) occurred from government agencies, another quarter from educational institutions and 14.5% from healthcare facilities. Its 2009 Breach Report already has a dizzying number of breaches — 37 pages with 170 breaches affecting 2,802,655 people. For example:

Federal Aviation Administration (45,000 employees), Oklahoma Dept. of Human Services (1 million people on Medicaid, WIC and other services), Ohio Dept. of Public Safety, Warrior Express, Marian Medical Center (3,200 patients), Washington State Dept. of Labor and Industries, Oklahoma Employment Security Commission (5,500 employees), New York State Dept. of Taxation and Finance, Atlas Collections, DFS Capital Funding, WalMart, Valeta School District, McAllsters, Penn State Erie-Behrend College (10,868 records), CBIZ Medical Management Professionals, Peninsula Orthopaedic Associates (100,000 patients), Moses Cone Memorial Hospital (14,380 patients), Tennessee Dept. of Education (18,541 students), City of Lawrence School Dept., Hawaii Dept. of Transportation, University of Washington (6,000 employees), Culpeper Taxpayers (7,845 taxpayers) Tennessee Dept. of Human Services Policy Studies (1,600 people), Maryland State Employees SHPS Human Resources (8,000 employees with health savings accounts), Palo Alto Medical Foundation (1,000 people), Metropolitan Insurance, LifeWatch, Massachusetts General Hospital, Ohio Dept. of Administrative Services, Sam Houston State University, Maryland Federal Court, Solano Community College, Jackson Memorial Hospital, NYC Housing Authority, Walgreens Health Initiative (28,000 retiree pharmacy records), University of West Georgia, Oklahoma Dept. of Human Services, NYC Office of Payroll Administration, FEMA, Agape Healthcare, St. Rita’s Medical Center, NYC Policy Dept. Pension Fund (80,000 policemen), Western Oklahoma State College, Pennsylvania State OPP (10,000 employees), United Healthcare Workers West-Kaiser (29,500 patients), City of Muskogee (4,500 people), Steamboat Springs School District, Children’s Hospital Boston, Arkansas Dept. of Information Services (807,000 records missing), University of Alabama Health Facility (17 computers with 37,000 patient lab records), Rio Grande Food Project (36,000 clients), University of Florida-Grove (97,200 records), Idaho National Laboratory (59,000 employees), Kaiser Permanente HMO (30,000 patient records), Indiana Dept. of Administration (8,775 people with worker compensation or disability claims) ….

Before this post was finished (I got side-tracked filing all of the fraud alerts and stuff), the University of California-Berkeley's health services center was notifying people that its computer database had been hacked and 160,000 records with social security numbers, health insurance information and nontreatment medical records (such as records of physicians seen for diagnoses and treatment, immunizations and screening tests) may have been stolen. The breach is believed to have begun last October 9^th and gone undetected until April 9^th, when maintenance administrators discovered messages left by hackers from overseas.

As more information is placed on electronic databases, risks for security breaches skyrocket. In 2008 alone, the ITRC reported 35,125,425 records of personal identifying information were breached from electronic records — 98.4% of all breaches of private information — compared to 565,830 breaches using paper records (1.6% of all breaches).

Am I the only one who has noticed that the very people who told us that electronic voting machines can’t be hacker-proofed are now telling us that electronic medical records will be perfectly safe and secure? — HealthcareBS.com

Security isn’t the only unsupported claim the public has heard about the new nationalized integrated electronic medical record system. Few people really understand that nationalized means centralized for federal government oversight (of both them and their doctors’ behaviors) and integrated means automatically populated from pharmacy, lab, diagnostic, hospital, clinic and medical records systems, and interconnected to ensure uninhibited sharing of information among all stakeholders and federal agencies. Imagine how people would feel if they knew that stakeholders and government officials believe Americans have no Constitutional right to informational privacy, leaving them “with a right in progress” to people’s personal information, and that stakeholders know that with the system they envision, security breaches will increase. Yet, the public is told to trust the government to protect the privacy and security of their information. It's reminiscent of that quote:

The most terrifying words in the English language are: “I’m from the government and I’m here to help.” — Ronald Reagan

© 2009 Sandy Szwarc