A patient’s medical information is one of the most sensitive and private forms of data. And in the wrong hands, these records can have detrimental effects. Digital technology facilitates the dissemination of information at lightning-fast speeds which, in many instances, is a praiseworthy feat. However, the unauthorized access and distribution of electronic health records is a major ethical—and sometimes, legal—issue confronting medical professionals.
Since the U.S. Department of Health and Human Services (HHS) began publicly disclosing health data breach information, a total of 20,970,222 individuals have been subject to large medical data breaches. (Note: the HHS requires organizations to report security breaches that involve unencrypted information that affects 500 or more people.)
Of the breaches reported to the HHS’ Office of Civil Rights, 52 percent of them involved theft, 20 percent involved unauthorized data access, and 11 percent involved data loss. In addition, 6 percent involved hacking, and 4 percent were classified as “other” or “unknown.”
Some of the more recent security breaches include the following:
- In December 2011, attorneys filed a class action lawsuit against the University of California Los Angeles Health System. The lawsuit stems from the theft of an external hard drive from the home of a faculty doctor. The hard drive contained the patient information - including names, birth dates, addresses and health data - of over 16,000 individuals. The information on the hard drive was encrypted, but the printed password needed to decode the data was also stolen.
- In June 2012, The University of Texas M.D. Anderson Cancer Center reported that an unencrypted laptop was stolen from the home of one of the organization’s physicians. The laptop contained the names, Social Security numbers, and treatment and research data of 30,000 patients.
- In June 2012, the Alaska Department of Health and Human Services (DHHS) agreed to pay $1.7 million to settle violations of the Health Insurance Portability and Accountability Act. A portable electronic device that contained the Medicaid information of an unspecified number of Medicaid beneficiaries was stolen from the car of a DHHS computer technician.
- In July 2012, Hartford Hospital of Connecticut reported that an unencrypted laptop was stolen from the home of a hospital vendor employee. The laptop contained the personal information – including names, addresses, birth dates, Social Security numbers, diagnoses and treatment info – of almost 10,000 patients.
While these incidents are unsettling, a 2011 security survey conducted by the Health Information and Management Systems Society may prove to be more startling. Of the 329 information technology and security respondents who work in hospitals and outpatient care centers, 53 percent stated that their organization spends less than 3 percent of their information technology budget on security.
Additionally, 82 percent of respondents said their organization shares electronic patient data with external organizations, and almost 25 percent said their organization does not perform security risk assessments.
This seemingly lax approach to protecting patient data may explain the results of the Ponemon Institute’s report, which reveals that medical data breaches have increased by 32 percent since 2010. The report surveyed 300 health care organization officials regarding their security measures for protecting electronic data. Eighty percent of respondents indicated that their organization uses mobile devices that contain patient data, but 50 percent admitted that their data is not protected.
If this information isn’t disconcerting enough, 73 percent of respondents in the survey said their organization does not have the resources to prevent unauthorized access to patient data, and 55 percent don’t think their organization could even detect all of the breaches that could occur.
While it would appear that some in the medical profession either don’t completely understand or care about the implications of breached medical records, those on the wrong side of the law certainly seem to comprehend and appreciate the value of patient medical data.
According to a panel of cyber security experts at the 2011 Digital Health Conference, medical identity theft has become one of the most lucrative forms of identify theft. Electronic health records can be sold for up to $50, which makes them more desirable than Social Security numbers—which garner $3—and credit card information—which is usually sold for $1.50. And, unlike credit cards, which can be cancelled, a patient’s medical information cannot be changed to stop criminal activity.
Thieves use electronic medical records, as well as health insurance and other personal information, to file false insurance claims, obtain prescriptions and even receive medical treatment.
The Federal Trade Commission states that the victims of medical identity theft are billed for this criminal activity and may experience a decrease in their credit score if they refuse to pay the bills. Additionally, the victims may lose their health care coverage as a result of the false claims filed by scammers.
However, theft is not the only form of security breaches. Sometimes, patient records are compromised in other ways. For example:
- A 2009 ABC News report found that 13 percent of medical schools admitted that their students posted confidential patient information on blogs or social networking sites. The students didn’t divulge the names of the patients, but they disclosed enough other personal information for the patients and their family members to recognize the subjects being discussed.
- According to a September 2010 article in the Huffington Post, New York-Presbyterian Hospital/Columbia University Medical Center accidentally disclosed the information – including Social Security numbers – of 6,800 patients on the Internet.
- In September 2011, the New York Times reported that the names and diagnosis codes of 20,000 emergency room patients at Stanford Hospital in Palo Alto, California were posted on a commercial website for almost a year before the breach was discovered by a patient and reported to the hospital. A vendor’s subcontractor who handled billing for the hospital caused the breach.
- In a February 2012 Orange County Register article, St. Joseph’s Medical Center in California acknowledged that the personal medical information of over 21,000 patients was available online for nearly a year. While the information did not contain Social Security numbers or addresses, it did include patient names, diagnoses, lab results and demographic information.
These examples of security breaches are just a few high-profile incidents that have garnered media attention. However, the problem is widespread and far-reaching. According to Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, “This is happening everywhere. We're beginning to see the consequences of a lack of adequate enforcement and a lack of significant effort to establish meaningful safeguards."
So, what are the ethical implications of this widespread, lax approach to patient confidentiality? Given the staggering number of breaches that occur annually and the long-term repercussions of these actions to victimized patients, is “Oops, we’re sorry,” an acceptable response?
And what about the paltry – and sometimes nonexistent - amount that most health care institutions budget to secure their electronic health data? Is there an ethical obligation to invest in safeguards for medical records? The sheer carelessness and negligence that lead to most of the reported security breaches seem to imply a callous disregard for patient confidentiality.
While the immediate results of inadequate safeguards manifest as public exposure and/or medical identity theft, these may not be the only consequences. This questionable behavior may also produce a deleterious ripple effect. First, people may doubt that their personal data will remain private. As a result, they may limit the information that they share with their medical providers, and without a complete patient composite, it would be difficult to provide effective medical care. And in a worst cast scenario, some people may elect to avoid medical treatment altogether.
So what can health care providers and medical institutions do to ensure that patients never have to choose between medical care and personal privacy? How can they stop these insidious breaches and demonstrate a sincere concern for patient confidentiality? Laurinda Harman, Cathy Flite, and Kesa Bond, in an article for the American Medical Association Journal of Ethics, recommend much tighter security measures.
The first step in this process is to evaluate employees and vendors who have access to electronic medical records and determine what level of access is actually needed by each person. In addition, biometric scans of the face, eye, or finger can be used to verify a user’s identity before allowing access.
To prevent data hacking, passwords should be changed often – and never repeated; firewalls, antivirus software, and intrusion detection software should also be implemented in the fight against cyber criminals. In addition, since mobile devices are easily lost or stolen, the trio of authors advocates encrypting confidential data. Medical institutions also need a dedicated security officer and a team of health information technology experts who can assess and address security threats. However, the development and implementation of an effective health data security plan won’t be cheap, quick, or easy. It will be time- and labor-intensive, it will cost a pretty penny, and it may be cumbersome to the users and administrators. However, the alternative – which is to continue in the role of a sideline spectator - is not an acceptable option.
And while acknowledging that many medical institutions may be understaffed, underfunded and overworked, this does not absolve them of the ethical responsibility to ensure that the personal information of their patients is protected at all costs. “First do no harm” is not limited to medical care: the Hippocratic oath also extends to patient confidentiality.