Could a complete stranger receive your echocardiogram results in the mail?
Could a homeless guy in Boston end up with your labs in his shopping cart?
Is it possible that your medical records were sold on eBay?
Yes. Yes. And yes.
On February 24, 2011, Massachusetts General Hospital was fined $1 million dollars by the federal government when an employee inadvertently left a stack of papers on the subway. These documents contained the protected health information of 192 patients, many with HIV/AIDS. Where did these medical records go? Nobody knows. Maybe a homeless man wandered off with the papers in his napsack.
Yesterday, while watching my nephew shoot hoops at the Y, I read the American Medical News headline: Carelessness behind many health data breaches. According to the article “practices and hospitals are more likely to experience a breach because of an employee losing a thumb drive, mobile device or stack of paper files than because they were targeted for a malicious hacking.”
Doesn’t surprise me. Every few years I get a letter from a health insurance company notifying me that a laptop was stolen with my personal information including my social security number. I’m offered a year of fraud protection; then I’m on my own. I’m assured additional protective measures have been instituted due to the unfortunate and isolated event.
When I continue to read about stolen laptops from hospitals, some right out of employees’ cars, I wonder how many of these laptops have been sold on eBay.
As I leave the YMCA, I stop by my mom’s house on the way home. She’s in the kitchen reviewing the records she just received in the mail from her cardiologist. I ask if she found “anything interesting.” She grins and proceeds to show me the echocardiogram results from some lady named Linda. Mom wonders if her records inadvertently ended up at Linda’s house.
The good news: Though the subway documents were never recovered, there’s no evidence that anyone was harmed. So far my monthly credit alerts indicate nobody has stolen my identity. And in a few days I’ll personally deliver Linda’s records back to the cardiology department at my local hospital. Linda will probably never know what happened. But if Linda does file a complaint then here’s the bad news: The Health Information Technology for Clinical Health Act of 2009 increased the possible fine to $1.5 million for every patient data breach.
I can now understand why my mom–a retired psychiatrist–shredded boxes of patient psychiatric files in her living room before burying the stuff in the backyard. Even I routinely shred confidential information for my garden. Earthworms love old medical records.
But now I have electronic records. Since upgrading my laptop to a MacBook Pro, I wonder how to discard medical files on my previous two laptops. I’ve been told by computer geeks that it’s impossible to reliabiy eradicate data. The ultimate method for hard drive disposal recommended by the Department of Defense (pg 142, section 4) is complete physical destruction after overwriting and degaussing.
So to protect my patients I’ll be heading out to Home Depot for my protective gear and sledgehammer for a weekend of pounding hard drives before smelting or pulverizing them.
I may be going overboard. I’m not sure.
But I’m thinking I’d rather buy new $89 hard drives before selling my old laptops on eBay than get slapped with a 1.5 million dollar per-patient penalty.