Perhaps it’s the age we live in, where we have come to expect ready access to information, or perhaps it’s because of that very thing that we have become hyper-sensitive to any unauthorized access to our personal and confidential data. At any rate, medical security breaches involving confidential medical records seem to be happening more and more. The New York Times recently reported about such a medical security breach at Stanford Hospital in Palo Alto, Calif., which involved a private billing contractor and the posting of data for more than 20,000 ER patients to a public site – and the data remained there and undetected for more than a year.
Along with the obvious problem of how this information made its way to public access, there is the people factor – someone made an unethical choice, or at best, made a serious error in judgment regarding record protection. Just what was the problem? Where did the failure(s) occur? Is it a training issue? A procedures issue? Maybe the hospital’s internal ethics and security processes were not applied to the outside vendor. Or perhaps no one saw the breach, or if they recognized the problem, they didn’t know how to respond.
The article had this very scary fact: “Records compiled by the Department of Health and Human Services reveal that personal medical data for more than 11 million people have been improperly exposed during the past two years alone.” Penalties and fines have fallen like autumn leaves, yet the medical security breaches still occur, and obviously are not blatant criminal acts but instead are failures of protocol, disconnects in the compliance structure, and the lacking of ethical behavior.
Here’s another quoteworthy line from the article: “Although a medical security breach is not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.” No doubt, healthcare organizations train their employees on matters of ethics as well as procedures for handling patient records, as per HIPAA regulations, and most of these providers have some sort of crisis hotline whereby employees can report on security violations and other ethics issues. But these same initiatives should also be applied to contractors and other vendors who could come into contact with that same data.