Slashdot Mirror
Transcriber Threatens Release of Medical Records
talboito writes "David Lazarus of the San Francisco Chronicle reports on problems subcontracting sensitive data to outside firms. An unpaid Pakistani transcriber threatened to release medical records of patients at UCSF Medical Center on the internet. The article notes: 'U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.' Most frightening, UCSF was unaware that its records were being sent overseas. The article traces their path backward through a chain of three different subcontractors."
Isn't HIPPA supposed to protect us from this type of thing?
Don't blame me, I voted for Kodos
I can hear the conversation in the board room now....
"Who thought that outsourcing this was a good idea?"
How long until the IT outsourcing start's biting companies in the arse?
remember our laws are NOT their laws.
Do not look at laser with remaining good eye.
This is why certain aspects of business will always cause privacy problems such as this. The goal of many businesses is not to provide the best possible service or the best possible products. Rather it is simply to make money. This is why HMO's never made sense to me and why they were a con foisted upon the American public. They have not made the practice of medicine any cheaper, rather they have simply moved profits from the physicians, nurses and technicians and moved it to a new middle layer of management who makes decisions such as exporting transcription overseas to markets with no concern for privacy.
Visit Jonesblog and say hello.
SOS, it ain't new ...
... old news articles liked on slashdot somewhere.
... wherever outside the USA, then it must be a USA possession or colony. So, extortion in the USA may not be extortion in Pakistan. Sort of like some corporate and/or political corruption in the USA is only criminal in the minds of many citizens. Breaking a law is criminal, breaking a principle or ethics is profitable [GBA!].
Prescience: Frequently is observing the obvious that will happen while others dream-on obliviously to reality. Examples: Would be the US Congress and Bush Cabinet.
If you contract out your core business data or processes/applications, then expect to suffer many consequences beyond your control. Yep, it is USA government and business SOP
Also, if USA law applies in India, China,
HAVE FUN - OldHawk777
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
My dad is a hospital administrator, and at the hospital he runs (in rural Louisiana, none the less), they just invested in a voice recognition package specific to medical transcription. They never outsourced their transcription needs overseas, but they were having trouble meeting their needs with the staff on hand. So far he says it works far better than he expected, and has generated any serious errors (it tends to be better at picking out the appropriate medical words than at transcribing normal english. because the doctors tend to use rather obscure words). They still proofread the transcriptions as an error checking, but over all, it has been more accurate than even human transcription and cheaper too.
====
Crudely Drawn Games
Everything is then electronic and retrievable from the get-go. Good for the economy, efficiency, morale---everything but the bottom line on healthcare costs in the short run ;)
William
(who just finished a nightmarish rush project which became so 'cause the boss tried to outsource it and the overseash shop mangled the nice LaTeX job using Quark XPress)
Sphinx of black quartz, judge my vow.
The problem is not overseas workers. The real issue here is sensitive information being processed by networks of subcontractors without the knowledge of the information owner.
A sweat shop worker realises she is being exploited.
More power to her.
Can anyone else see large software companies having this problem? Company sends the project overseas to be developed, employees return the finished source, and then toss their NDA in the trash by holding the source ransom over the internet.
We've all seen what source in the wild can do (whether you believe some of the rumors about how HL2 source was released, it's _still_ delayed), and a group trying to profit off of source code could even be worse. Of course, no manager is going to listen to little old me.. Mainly because I'm not crawling down their throats for this quarters profit margin. =T
This statement is false.
Any time you pass on potentially sensitive data onto a third party there is the opening for abuse of this nature. When you outsource you are at the mercy of the contracted party and their security measures (if any) become your security measures. Add to that sub-contractors... Big freakin' mess.
Certain information should remain in the USA and not be contracted out. Ever. Looks to me that this whole fad of out-sourcing overseas has just come back to bite people in the ass. Maybe now some of the fools will learn that the old addage "Charity begins at home" is a good idea: keep those jobs here; the costs aren't in just dollars saved or wages paid.
No doubt this is a 'bad thing' since medical record confidentiality is a widely accepted thing in our society. But having known several people who have worked for large hospitals, medical offices, and such, this is simply payback for thos ehospitals who clear millions of dollars in profits AFTER they've already payed everyone in the building.
Business will always be business, and every manager wants a fatter check for gettings things done cheaply, but they simply got what they paid for. They wanted it cheap, now they got the quality that comes with that.
Pay your employees, people! Create some value in your business by doing it yourself. I'm not saying that a medical transcriptionist should be making 75K/yr, but the money they saved by offshoring this, they just lost 10 times over in the lawsuits that will be flowing into that hospital now for violating doctor-patient confiditiality.
A middle manager/upper manager should be fired, publicly, for this.
"See, we plan ahead! That way, we never have to do anything now."
Step 2) ....
Step 3) Profit!
It only took a few hundred dollars to pay her off.
Even extortion is cheaper when done overseas.
Companies are setting themselves up for a big hurt when they outsource overseas. This intance shows just some of the dangers and downfalls. Eventually, it's going to come around and bite them in the arse. What happened to all the forward thinkers? The over-zealous drive for profits and cost savings for today without thinking about tomorrow hurts us all - from the executives, to the workers, to the consumers, and, yes, even the shareholders. For example, America's technological edge is dying all because of overseas outsourcing. Why would any kid want to go to college for CS/IT when the job prospects are so miserable?
The article describes what amounts to a chain of subcontractors handling the medical transcriptions. The top of the chain is a firm in Sausalito handling medical transcriptions, which hired a subcontractor in Texas, who then farms out work to a network of subcontractors -- which led to the woman in Pakistan.
I think the guy in Texas should be held liable, no? He's the one playing fast and loose with patient privacy, and I can't imagine he has no legal culpability here.
Anyone out there have an understanding of the legal framework for something like this?
quiquid id est, timeo puellas et oscula dantes.
Disclosure: I've worked in hospital administration so I've seen this stuff first hand.
Medical service providers are under a lot of pressure to reduce costs. So outsourcing isn't surprising and can work really well. Outside of medicine, hospitals tend to be pretty technically unsophisticated. But there also is the fact that medical organizations tend to be very rigidly heirarchical. Once data or a patient leaves the department, no one cares what happens to it. It's not right, but it is reality. Once you combine the two we have problems. Stuff gets outsourced and no one follows up to find out where to.
There has been a big stink about medical privacy (and rightly so) but in real terms it is not as private as it should be. HIPPA? Please. HIPPA just codifies what medical personnel were supposed to be be doing anyway. And if you think your charts don't get discussed and shared you're kidding yourself. Medical people are some of the most gossipy folks I've ever met.
Yeah, because your orginization didn't jump on the cheap-labor-train before.
Hell, if you send sensitive data overseas to a extremely low paid transcriber, are you really surprised? Especially when you stiff them for their paltry $500 pay. LOL, was the cheap labor worth it now?
Sehr geehrter Toilettenbenutzer!
The title says it all.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
Let's see, I can farm out my company's grunt-work overseas, because there are no US federal regulators there enforcing employment, wage, standard, etc. laws.
Simultaneously, of course, there are no (enforceable) IP, trademark, copyright, security, reporting, or competition laws.
Seems distinctly like 2 sides of the same coin to me. Congratulations, you've just saved your company $500,000 in outsourcing your coding jobs to Indian programmers, while simultaneously bankrupting the firm of all future business because you have no trade secrets anymore.
NICE JOB.
-Styopa
This is the problem with outsourcing. You have to trust the 3rd party and be aware of what they are doing. Surely some sort of checking would be made before hand and some legal representative should at least look at what is going on..
Rus
Cheap UK and US VPS
how about just paying the guy his due amount.
There laws may not be our laws but contracts are contracts and the thing to question is who is breaking the contract, nullifying any responsibility of the transcriber has to adhear to the contract?
... rewrite this with "Pakistan" replaced with "Bismarck, North Dakota" and see how it reads. I wonder how much the domestic laws can do to prevent this kind of hijacking of data on US soil?
True, trying that kind of blackmail can get you in a nasty legal mess, but if the MPAA/etc can reach overseas to snatch a kid that had the balls enough to stand up for his participation in a project they didn't like, how far can the vastly better-funded medical industry reach into other countries..?
Or is this the kind of thing that doesn't matter as much as whether the MPAA gets paid?
Why didn't they split the data so that no personal information was even delivered outside their own company ? The form could be devided in parts and each part could have a unique id. Later on combine the translations according to the id.
Who says this kind of thing doesn't happen already, most companies are very hush, hush when it comes to "internal" problems. I am suprised that even this hit the net, it seems like it would be easy to cover-up. "Give me a thousand dollars or these records (source code, internal memo, etc) will be posted publicly". It would be a lot easier to pay then try to recover from the damage. Hell, some countries kidnapping is a cottage industry.
The grass is only greener, if you don't take care of your own lawn.
What with medical records being transcribed overseas in countries with no privacy protection...
HMOs who consider a hangnail as a "pre-existing condition"...
Employers doing medical database checks as a condition of employment...
I've decided I'm just not going to get sick.
Chip H.
Even worse! They SELL the info to drug companies!
I once mentioned a certain problem (side effect of a drug) to a doctor. 7 years ago or so. I was not being treated for it, but he wrote in in his notes. Lo and behold, a month later, I start getting ads in my mail from drug companies for this problem. Not something common. I told the doctor and he was in shock. He agreed that the transcription company must have sold the info. He refused to follow up on it, as did I. In retrospect, I could have caused a stink, but I'm not at all convinced I would have gotten any satisfaction.
I strongly suggest taking your lawyer with you on all doctor's visits. I now review doctor's notes completely (after transcription) and force them to make corrections. It is amazing what sorts of errors the transcription companies make in the notes. And this is what insurance companies look at when you apply for insurance.
In all, I'm pretty frightened of the medical system after a couple of incidents. I avoid the system at all costs. The funny thing is that it is this fear of the system, not of disease, that has actually prompted my very healthy lifestyle. I don't ever want to have to depend on that system for anything. Even the "nice good" doctors who are a part of it are to blame for idly sitting by and letting it all happen. They like to pretend that they are just pawns in a bigger game. Not!
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
If hostptals were oil fields these "other countries" would be on U.S. terrorist list.
This is why the US needs a strong data protection act. In Europe there are strong laws to prevent release of personal information without the direct agreement of the person. And to make this law at all useful it would be illegal for a company to release that information, or transfer it to another country which does not have similar strong laws which are enforcible. So this situation would never have happened.
Indeed, this caused all sorts of hassles with transatlantic companies. They could not transfer data to the US because it didn't have an equivalent law. In the end the "Safe Harbour" agreement came up, which means that personal data about me, gather in Europe, but exported to the US
has stronger data protection, than personal data gathered about US citizens and kept in the US.
It's a strange world.
Phil
Everyone with two brain cells knew this had to happen sooner or later.
I figured that the first big problem would be the outsourcing of financial records to Africa.
Considering the level rampant corruption in that continent, it's inevitable that someone would figure out there's more money to be made, faster and with less effort, by hijacking account info than by the stupid email scams they hammer us with.
When you don't have physical control over access to the data then you can be assured that you'll have this sort of problem.
I did some work for a firm that handled financial information and they had the lan all secured up pretty well, fiber optics, strong encryption, strong passwords, etc..
BUT, the server and patch bays were unsecured in an empty office with a flimsy door and cheesy lock you could pick with a credit card. ANYONE that wanted could waltz right in and log in or patch in. Or they could just pick up the server and walk out with it.
Thing is, if you don't have physical posession of the data and control of it, you might as well flag it as public. The first person you piss off will dump it on the web, hijack it, alter it, mine it, etc..
Don't you just love this "brave new world of inter-dependence"???
Name
DOB
SSN
Identity theft anyone? Use your credit and bank account to finance ___________ ?
There is no spoon or sig.
With tablet PC's and the like, doctors down here in Houston (at least at my wife's 20 doctor clinic) are starting to enter their own records.
This sort of problem only happens at the huge hospital systems, not your regional health system.
Remember this:
"A group of American companies is attempting this week to persuade the European Union to relax its rules governing data protection, claiming they are bad for business.
[...]
The EU passed the Data Protection Directive in 1998, and this has subsequently been implemented into national law by all but two--Ireland and Luxemburg--of the EU's member states.
As well as regulating the buying and selling of personal data about European citizens and forcing Web sites to tell users when data about them is collected and allow users to refuse disclosure, the Data Protection Directive also restricts the flow of information about Europeans to companies based in countries with--in the view of the EU--more lax privacy standards.
The Global Privacy Alliance says that this directive makes it hard for companies to engage in the kind of data flow that they claim is vital for modern e-enabled businesses."
That would be the kind of data flow where they take your medical data, and farm it out to a country with no effective privacy laws, then?
Its interesting that the EU law would not only have prevented your medical data going to Pakistan, it would have prevented it going to the US - because far from having "strict standards to protect patients' medical data", the US laws allow moving private data to countries with lower privacy standards!
It's HIPAA.
Health Insurance Portability and Accountability Act
Rember how pissed-off these made US businesses, who resented being pressured to comply with EU laws regarding data outsourced from the EU (or otherwise concerning EU citizenry?) Now it seems that this model is not such a bad thing. Interested US parties (some hospitals, at least) now seem to be pushing for a model whereby they can enforce US data-protection laws on data concerning US citizens when it goes overseas.
So what?
How is knowing someone was in the hospital with for a concussion or surgery going to hurt them?
Unless of course their records also contain SINs and such.
Could Microsoft's new Information Rights Management (IRM) scheme help to solve this problem?
As I understand the medical transcription business, the transcribers are given paper records and are tasked with transcribing those paper records into electronic form. So it seems that IRM would not help to solve this problem.
Does the medical transcription business work differently than I understand?
My dad is a doctor and I used to always be amazed how fast he could dictate his notes at the end of the day. He'd fly through a pile of 100 folders in about 45 minutes or less.
Even more amazing is the girl who comes in to type all this stuff up - she does 120 words a minute with no errors!
In any case there are certain things which should never be outsourced overseas, one of them being sensitive medical records.
I got a "We're Sorry" letter from Tricare, the US Air Force's insurance company last year. They apologized because someone broke into one of the Air Force bases' hospitals and stole a few computers that contained over 2000 records of personal information. We were told to be on the look out for "signs of identity theft." Apologies are nice but safeguarding your patients is nicer.
But man, all this talk about "homeland security" goes right out the window when it interferes with turning a profit, right? This isn't an anti-Bush rant, moreso a gripe with business ethics in general. John Ashcroft et. al. have seen fit to rape the Bill of Rights to "protect" us from terrorism, then turns around and screws a whistleblower for pointing out our nuke plants are vulnerable.
Way to have your priorities straight guys.
This will put a severe crimp in the growth of outsourcing of services such as data entry.
Apart from subcontractors in the U.S. quaking in their boots because of potential liability they'll face under U.S. law, there will also be many in Pakistan unhappy with the consequences of fewer companies wanting to risk something like this happening again in the future.
"Provided by the management for your protection."
Usually, when the fairly stiff EU privacy protection laws come up there's a lot of "haha's", "this is bad for business" and "that's what you get for socialist governments" comments.
This example shows very drastically why we got those laws in place (which among other things generally prohibit data export to countries which don't have adequate privacy protection laws) and why they are generally a good thing.
This is not to say that this could never happen, but the responsible folks (the hospital in this case) would most certainly not get off with a slap on their wrists, which will probably be the final outcome here.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Call 1-800-ISUE-BIG
Wouldn't it be incumbant on the medical centre to make all reasonable efforts to protect patient data? If they choose to outsource operations, then it is their responsibility to ensure that the ousourcing agency takes the necessary steps to preserve confidentiality, or it is their legal A$$ that is on the line.
My rights don't need management.
I've worked in the medical transcription industry for some time and the providers KNOW that their work is being sent overseas. They don't know and don't care as long as their line/page rate is cheap.
I've been involved in several contract negotiations where outsourcing was explicitly brought up and it was made very clear that they don't care how the work gets done as long as they get it cheap. These are large hospitals, too.
I know of a particular BIG insurance company here in Texas that outsources a LOT of their core work overseas. This company happens to cater to members of the US armed forces and civil service employees. When people get deployed or move, they have to call this company to have all their addresses changed.
To think... now India and Pakistan probably now have a good listing of where a lot of our US service members are located. It's glad that India and Pakistan are our "aliies" or we'd really be in the shit now...
Two things to consider.
One, is this the first time something like this has happened, or just the first time it's made such a public stink?
Secondly, is this case going to create copycats? How many people out there now in a similar situation will look at this and see dollar signs?
Food for thought. Junk food, at least.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
"Information wants to be free..."
What is the problem, whoever sent this information to an uncontrolled location is in trouble.
By releasing it to someone who may violate the disclosure policy they have apparently not fufilled their requirements.
Just trace it back, who gave it to this person, they should not have done that without proper assurances, and they are responsible.
You MUST not release information except to trusted parties.!!
How about the dangers of not paying your employees?
Well, that's what I wanted to write, at first, but then I actually read the article and realized that contrary to the submitter's disingenuous suggestion, the woman was not unpaid, but wanted more money.
Secession is the right of all sentient beings.
Globe article
For greater medical privacy, forget insurance and pay in cash.
I realize it's not really practical with medical costs nowadays, but the reason medical records, information, and clinical notes leave the doctor's office in the first place is because the ones paying for it (insurance usually) need to know certain details about your treatment and diagnosis to determine your level of reimbursement. If you pay out of your own pocket, your data stays where it is (unless there is a medical need for your doctor to consult another, or to check old records, but that is because it's necessarry for TREATMENT.)
Paying in cash means that nobody can look at your credit card receipt/statement or bank records/canceled cheques and see that you've been to the doctor.
The Digital Sorceress
Should not the export (for whatever reason) of that data be prohibited, or at least limited to requiring written consent of it by the owner of the data (the person) with the explicit understanding that there are no guarentees of it's safety when it leaves the country....
Perhaps medical transcription companies should take the SETI@Home approach: digitize all the data to be transcribed, slice it into overlapping chunks of about 20 seconds each, and distribute the work as widely and randomly as possible. In the process of transcription, workers mark fragments as partially or completely unintelligible/incomprehensible so that new larger fragments can be sent out for only those sections which really need more context or the same fragments can be sent to workers who are more likely to understand a heavily accented speaker. Unlike SETI@Home, however, this is a money-making enterprise, so some sort of micro-payment scheme would need to be established.
No one person would likely have enough information to be dangerous, as long as the (automated) process of assembling the results is done in a trusted (and prosecutable) environment.
Of course, this is just an automater's dream... it would in the end be vastly more expensive than simply managing the subcontractor problem as-is.
What do you mean they cut the power? How can they cut the power, man? They're animals!
In fact, it is!
http://images.netmojo.ca/randomimgs/Dilbert_one_of _the_best_ever
This story hilights one of the biggest fundamental flaws in US privacy laws: personal information can be sent to out of country subcontractors who can do whatever they want with that data. And they can do so with impunity.
want to slow down US and European job loss?
I wonder how popular outsourcing IT will be if we restrict the outsourcing of private customer information processing to only countries with recriprocal laws or treaties on the books?
-- $G
If a contractor performs work on a house and doesn't get paid (or a sub-contractor) they generally have the right to a 'mechanic's lien' on the property. It clouds title and he gets paid, even if he has to wait for a sale and closing. The threat by the person getting screwed here WOULD BE SIMILAR IF it was a matter of not getting paid. "I want my money or I will do what I have to to get paid.", is the message from a mechanic's lien. Unfortunately, it looks like she is trying to jack up the price, to quote: "unless she was paid more money". Well, a contract is a contract. She got paid, but wanted more. So, it is extortion. Using our medical records. The hospital is at fault for compromising the record in such a way, I would guess.
Well that cheap ass company got exactly what they deserve. When will companies learn that pretty much anything goes once you leave the aegis of American Law system? Sure you'll save a few bucks but how can you trust private data with a company in the third world?
Here is an article on Wired which panders the need for 3rd world workers.
A Case for Coolie Labor
Just wait until this thing gets a bit wider publicity. You can be sure that holding individuals for ransom from the developing country for a developed product will get more and more common due to the copycat factor. I have a funny feeling that this is only the beginning of a large landslide.
Even worse, wait until outsourced hardware design starts showing how faulty it can be. Where engineers can be held responsible for products that overheat and kill over here, imagine if someone in a third-world country decides to be lazy and not put overcurrent protection on a device in a certain mode that UL safety guidelines happen to not specifically cover. People could end up having their houses burn down. Now, while the company can be held liable, what about the engineer? He can just disappear into the background noise, never be held responsible, and never become an example to others in his community of what happens when a product is shoddily engineered to meet a raw cost objective.
I think there is some optimism that comes from this story, however. It may yet prove that outsourcing is an enormous mistake for many companies. Particularly when the spectre of massive lawsuits is involved, I think that insurance companies will get increasingly involved in these situations. The cost advantages of outsourcing never factored in the increased liability risks presented to the company from the antics and poor quality of work of their outsourced workers in the first place. I don't like insurance companies any more than the next person, but neither do I think insurance companies have discovered to what degree their insured could be subjected to precisely these types of scenarios. Maybe what the geek community could do is start a campaign to inform insurance companies and their actuaries of these situations in order to raise the rates of companies who outsource. Maybe - just maybe - they could once again swing the balance of favor towards workers here.
I think hospitals need to get off their high horse and get real here. People would be much better off if hospitals had more computers. I mean this isn't the 1800's. Doctors are allowed to use computers too aren't they?
To paraphrase Jamie Zawinsky (sp?), computers aren't magic pixie dust. Without exagerating at all, hospitals are among the most complex organizations you will ever run across. Did you know there are about 50 steps to just performing an Xray? And most of those steps have nothing to do with computers and never will. Medicine is really hard to simplify. I've spent a lot of time in manufacturing as well as healthcare and I promise you, the manufacturing guys have it easy.
Anyway just installing a few computers isn't going to solve the problems. Hospitals have lots of computers and use them pretty heavily. But computers are not reliable enough for some purposes. (yet) Patient records are not typically kept on computers in part because people would die if the power went out. Are mistakes made? You bet. Plenty of them. But that has more to do with the complexity of the task and the management systems than anything else. Computers are not some magical cure-all. Hospital admins care a lot about their patients, and doctors care even more. But if solving all their problems just required installing a few computers, don't you think they'd have done that already?
The biggest problem hospitals have with computers is the system adminstrators they hire. I worked at one of the "10 Best" hospitals in the US recently. Medically speaking they are amazing. (my wife is a doctor for them) But their computer system admins are incredibly incompetent. Worse, they don't seem to be willing/able to pay the bucks for really good help. If you are a good sysadmin and want to make a difference, work for a hospital if you can afford to. Lord knows they need the help.
... of the Vichy government officials, when they explained that they shipped Jews (and probably other listed undesirables) into the German territory of their masters while not realizing they were being sent off to be killed.
Similarly, corporations who whine that they didn't know about the conditions of their subcontracted work (sweatshops, etc.) are also, equally liable and contemptible for their WILLFUL IGNORANCE. Any corporate manager or officer can surf the net for 30 minutes and at least suspect that something is rotten in Denmark (or in this case, Pakistan). They make no effort to know since they know otherwise full well that they'd find wrongdoing. "Don't tell me, I don't want to know" is the standard CEO quote.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
This is a *HUGE* issue. Even joe consumer can get concerned when his personal info is bouncing around third-world countries.
What does it tell you that this is not being reported in the mainstream press? Is the issue too complicated? Are people not interested?
I think that there would be a strong reaction from the populace if this was reported in the national media. This might cause the goverment to step in on the off-shore outsourcing issue.
Congress, the White House, and many state legislatures are far more serious about privacy and security than ever before. Expect more privacy laws to be passed by state legislatures.
Every CIO should be concerned about willful violations (willful intent to skirt the privacy regulations) as well as negligent violations when considering moving data offshore, even if only for software development.
Tell your CIO: Regulated data should stay local.
vb
Two comments:
First of all, I guarantee that UCSF had a contract protecting PHI with that sub-contractor. The UC system had several thousand subcontractors with whom they had to rewrite agreements before the deadline in April. Any with whom they did not have a contract were terminated.
Secondly, the hospital is not liable because they were sent unencrypted email of PHI. That doesn't even make common sense, if that could happen then I could email my doctor my last x-ray result, then sue him for breaking my confidentiality. Unless her medical records show up somewhere, she can claim no damages, and therefore have no suit, although IANAL (look at my username). The gov't, however, is another matter entirely...
Next thing you know the government will be holding people offshore so that they can violate their civil rights in ways that would be illegal in america.
My wife runs a similar type of company in Canada. We are contacted constantly by indian and pakistani companies wanting to transcribe for us. I would never trust my medical records to an overseas company that isn't subject to our laws.
- Jimbob
It's no damn wonder we have surgeons cutting off wrong limbs and such. I wonder how many doctor mistakes are due to bad transcribing done by people overseas, or (possibly) with poor English-speaking skills.
Lawsuits anyone?
For those not realizing it, there is no law outside the US on such stuff. Not that the locals, don't have their own laws, it is just across the border and our laws don't apply. This is the real danger as we "Outsource" everything. Yes it is cheaper, but sorry no laws apply either.
As to HIPPA, it exists to protect the institutions, not the individual. Sorry for those who believe otherwise.
Make things clear here: As States process critical Identity Data on persons such as Unemployment, Drivers Licenses etc this way, there is absolutely no protection of the individual against IDENTITY THEFT. While you might not think this is critical, remember that 100% of all documents needed to breach US Security are already being processed in areas where persons who want something more than higher wages are handling them. Al Qaeda works openly in many of these areas. This allows them unlimited, travel, funds and identities to cause terror. This completely dismantles any US Homeland Security. With this going on, "Homeland Security" is an Oxymoron.
Never Politically Correct ~ I prefer the facts If you don't like what I say, get a life, or comment yourself.
It seems we were selling personal information to marketing firms. I found that the firms we serviced had no knowledge of that, so I refused to write the code. Of course I got fired ,had a company officer watch me pack my things, and escort me to the door, all the while trying to convince me they were doing nothing wrong, and I shouldn't mention this to anyone, blah blah blah.
They were in the wrong to do this and to fire you for it. You could sue.
But regardless of whether you sue or not, how about providing us with the name of the Business, the type of violations they were making and the businesses that they were doing business with that were not made aware that their private customer data was being shared for profit.
This type of personal information peddling is illegal, imoral and can cause very significant damage to innocent people (e.g. Insurance companies dropping people, loss of jobs, etc..).. Whenever anyone discovers this type of thing, it is VERY IMPORTANT to get it out in the open so that it can be dealt with.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
So I find the subject of this discussion somewhat like about the Pot (USofA) and the Kettle (places like Pakistan).
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Forest for the trees, kids. Yes, your medical records may be over seas, but that is the small prize. Financial services companies have off-shored a lot of work to India, work that involves financial records. Think about: your name, address, social security number and account information may be sitting in India as I type this.
Someone in another posting made a joke about extortion being cheaper becaue of reduced labor costs. Not much of a joke, really. Someone based in the US will most likely turn down an offer of US$5,000 for complete information -- including SS# -- for accounts with at least US$1 million in net assets. But that US$5,000 looks very attractive to a person based in India, a country where the average annual income is US$4,000, and US$30,000 is salary for a top notch programer.
It is only a matter of time.
thx,
Eric
The welfare of the people has always been the alibi of tyrants. - Albert Camus
You're funny. The US is one of the few western countries where you can (and people often do) get convicted based on circumstantial evidence.
Umm, have you ever heard of the Bill of Rights? It is not possible to be convicted of a crime on circumstantial evidence alone. There must be a witness to the crime or there is no conviction. This is why traffic tickets are thrown out if a police officer doesn't show up for trial. No witness, no case.
Here is the Sixth Amendment:
"In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the state and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense."
Furthermore, this would be civil court, where the requirements for a conviction is much lower -- to the point where you can get a judgment against you because of a belief of likelihood.
It is not "much lower". There is also no such thing as "conviction" in civil court. You pay money, nothing more. The reason the standard of proof is lower is that you are not losing life or freedom in civil court, you are resolving a dispute.
Its nothing more than "beyond a resonable doubt" versus "clear and convincing". It is a matter of degree nothing more.
Yes, justice is blind, especially after she got a blanket thrown over her head by Mr. Ashcroft...
How does a cabinet member have the power to alter common law practices again? Is he personally bribing all the jury members?
This isn't a dictatorship... one man has far less influence than you think.
I don't read or respond to AC posts
This worked for this woman. She demanded $$, and she got it.
What's going to happen when all of the *other* Indians decide that they aren't being compensated fairly and try to pull a similar stunt?
Outsourcing sucks. CEO pay is out of control. Jobs are being lost.
And how is this a good thing?
Heh, interesting Peter Jennings was born, educated, and started his career in Canada.
In North America there are many many local accents, plus the foreign ones.
I kinda group them as Eastern, Southern, and the rest (including mine).
The foreign accents are always fun, about 20+ from native European english speakers (does every town really need its own accent?). Asia, South America, lottsa fun.
I've noticed a lot of posts wailing that is a problem inherent in Outsourcing.
I think that quite clearly isn't the case, the problem is that US Data Protection laws allow companies to pass personal data to other countries which do not have any requirement to protect that data.
There's no reason why India or Pakistan or wherever that lady lived would have any laws governing the protection of data belonging to US Citizens but US Law should realise that and make it illegal to pass data which is protected in the US to these countries.
I totally agree that disclosure of medical data is a bad thing but it's important to realise how the law has failed to guard against this happening rather than whinge about something totally unrelated to the problem in hand
To get in the US you do not need to give a credit card number.
Basically you need a passport and a reason.
If you aren't a citizen of a few limited countries, you need to ask first, and give a detailed reason, and they will give you a visa.
The issue isn't overseas, it is that someone is illegally distributing protected information to organizations who aren't taking the proper steps to protect it.
Therein lies the true danger of outsourcing information technology jobs. There is no way to ensure data, methods, and proprietary information will remain secure. If a foreign nation decides your banking records are of interrest to it (like when you are travelling and they need a juicy target for kidn.. eh, reeducation, it gets so much easier to identify you by those records so conveniently placed at their disposal by a mutlinational banking firm.
:prison) in one of these nations. Your project is going very slow because the fab can't quite duplicate the US design. Oh, well, when your section boss wants revenge for losing face, he has you forcably removed to the hospital where your organs are removed and sent to places all over the world. It's ok though, since you serve the party in the end by providing the much needed cash to finance the war againts the impirialist pigs.
What if you are a CEO at a company in the silicon valley and you need to get a product out before your competition does? You hire a firm in another country to build a GUI for your product and give them detailed hardware specifications to aid in development. A month before you hit the market with your gee-wiz device, every kid on the block has a product with all of the same features at a much lower price. When you protest to the foreign company , you are told that, since you are a US company, you have no rights in that country and should kindly go away. You get precisely what you deserve when the board of directors hands you your head because they have a warehouse full of chips and plastic and no money.
Most of the nations which supply outsourcing manpower, do not have reciprocal agreements with the US and thus need not enforce ANY of our laws.
If you are an IT professional, you may have noticed how many jobs have moved, but you have been left behind holding the bag.
Say you are a subcontractor for the defense industry and you accidently, on purpoose, underbid your competition because you knew you were going to violate the law and outsource confidential or even secret work. Ten months later the government of that nation uses the technology you supplied them, albeit indirectly, to blackmail the US into reciprocating in a deal providing them with money and resources.
All of these things are possible, and unless I am mistaken have occured many times. I was working at a prominent console manufacturer when a VP licensed a proprietary and inovative design to a foreign corporations with an agreement that they would not distribute in the US or Canada. The US company was ramping up for christmas and thus had warehouses full of packaged units. Two weeks before christmas the VP is dismissed in a heated debate which could be heard throughout the building, and word is out that the foreign company just delivered to just about every store in the nation the same device with thier logo on it, and all because the VP felt he couldn't find somebody to do the internationalization of the firmware. (Something which the foreign company never bothered with since it was only shipped to the US during the first year of sales).
While the boner above was done without outsourcing to a large degree, what caused it to happen was the boneheaded transfer of inovative proprietary knowldge to a foreign company. When the invation resources are spent in another nation, that nation, and not the US will reap all of the benefits of having a skilled work force, while the US consumes itself in shortsighted neglect of local R&D. Licensing and outsourcing would only work if the laws were the same everywhere. Many of the outsourcing targets also allow child labor, slave labor, and torture.
Imagine if you will, you are an unpaid engineer in a semiconductor design house (reeducation facility
The last happens today, outsourcing only makes it worse.
Fast machines, powerfull AI, impulsive invention,... All I lack is a good espresso machine!
sol
"I'd say 'Have a good time,' but arson is still illegal.
In the case of the threat to release UCSF patient records online, a chain of three different subcontractors was used. UCSF and its original contractor, Sausalito's Transcription Stat, say they had no knowledge that the work eventually would find its way abroad.
Bookmark this story and recall it next time some company or government agency talks about their serious commitment to protecting your privacy. Outsourcing is a method too lucrative to pass up for most companies who don't want to pay employee benefits or be able to dismiss people without cause. This case shows that your contractor may be trustworthy, but there's no stopping the sub-sub-subcontractor.
The only person I trust with my personal information is me. Everyone else can coax others to cough up their social insurance number (oh great...I just revealed that I live in Canada!)
Ruby on Rails Screencast
After a fairly minor motorcycle accident, I ended up with a $3500 hospital bill because they didn't correctly copy my information and determined I didn't have insurance. When I finally straigtened all of that up, the bill was for $1100 because of better negotiated rates, 80% of which my HMO paid. If the hospitals are getting so much less for HMO treated people, where do they make money? By raising the prices for the uninsured.
Hopefully at this point the reader goes, "WTF, the uninsured are the ones who need the best pricing!" And the reader would be right; it's a fucked up system where the rich get better treatment for less because the hospital's sign deals because if they don't, and a major HMO walks away, that hospital has just lost a large portion of its non-emergency business. And with the hospitals (maybe not the doctors themselves, but definately with the hospitals), it really is just business; not people.
Why do patient records, in particular those sent for transcription, have names attached to everything anyway? The doctor doesn't need to mention the patient by name in his dictation. Without the names, this would all just be a bunch of unimportant medical mumbo jumbo and posting it on the Internet would be no threat.
What's different here?
We heard about it!
Why?
The article doesn't say, but it's at least possible that the hospital went public with the information. It's certainly clear that they're being upfront and aboveboard about what happened, and what they plan to do to prevent this from happening again.
This sort of openness is uncommon in this litigious society, and should be commended, not criticized.
Their lawyers probably would have advised the hospital to prevent that subcontractor from talking to the press under any circumstances - but she did speak to the reporter, and her story rings somewhat true.
One of the biggest mistakes the Middle-East makes is not utilizing their oil profits to lobby and bid for U.S. corporate manufacturing, IT, and service jobs. With their resources, they could've easily have trained a large number of their citizens to steal away U.S. jobs. In the end, they let their fear and hatred of the west allow India, China and other developing nations to steal U.S. jobs. They've lost the only advantage they could have over the U.S.
I mean what were the chances that the U.S. would've bombed Bagdhad if the city's factories produced Intel's motherboards, Nike's shoes, General Electric's U.S. Defense Department electronic components, and the state of New York's offsite backup storage for electronic court transcriptions? If a country ever wants an advantage over the U.S., or at least a sure deterrence against imperial aggression, they must learn to sleep with the enemy. That's only way the aggressor will let you get close to the imperial shorthairs (not talking about the back of the neck here). Now that the pakistani has hold of one of the empire's pubes, that small portion of the empire is more amicable (at least on the surface). Various disciplines call this leveraging, the loser usually calls it blackmail.
If most U.S. citizens only knew the info being sent overseas, they'd fire every elected politician from office for the crime of stupidity.
= 9J =
My company (one-man band) is registered as a data controller and I hold this in very high regard. As someone who also doesn't want my own personal data used as a commodity I'm very aware of NEVER letting any data I have on anyone leave the EU. To me sending personal data to the US would be as secure as a posting on a warez site running IIS that had been r00ted. I have yet to find anyone who can identify any objection to the UK (and EU) data protection Acts http://www.hmso.gov.uk/acts/acts1998/19980029.htm Its one of the best laws we have. I personally like ...
11. - (1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
and
12. - (1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.
You guys'll learn eventually learn about data protection.
Celeberity X gets in a vehicle accident on friday night in LA. Guess how many times the lab report on that test is hit on monday morning?
-ZiN-
You should watch CourtTV more often. There does *not* need to be a witness to get a conviction in a criminal court case. Watch Forensic Files some night and you can see that, with no witnesses, they can use physical evidence and get a conviction.
The reason traffic tickets are thrown out without the police officer present is because there is no other evidence showing that you were speeding. Complete lack of evidence and no witness means there is reasonable doubt. Finger prints, DNA, shoe and tire prints, etc, even without a witness, can provide enough evidence to get a jury to convict.
Buying a car last year, the saleswoman had a question on some of the forms.
She asked a more senior salesperson...
I overheard:
"Yes, we have to fill that in very carefully, so the transcribers in Mexico can enter it in the computer properly."
This, with a technically US-based bank loaning the money.
Now...nothing against Mexico, per se, but shipping *my* info over the border for processing just to save a buck or two is ridiculous.
You weren't listening at the roll-out yesterday. IRM only works for users in your or a trusted domain. Remote users not connected to your "rights server"? SOL.
IRM seems like a poorly executed marketing ploy that will die a death by neglect.
BTW I am a NT/2000 MCSE working in Windows every day. (5 windows and 1 redhat box in my office) not your usual "M$ sucks" troll.
And companies are outsourcing IT work to other countries. Maybe they should take a good look at this example.
You are completely wrong. There must be witnesses? That's absolutely ludicrous. Do you have any idea how many crimes have no witnesses?
Brief Google just for a couple examples of statements relating to circumstantial evidence:
The Supreme Court of Pennsylvania
"Moreover, this Court has established that circumstantial evidence alone can be sufficient to convict a person of a crime."
The Supreme Court of New Hampshire upholding a conviction based solely on circumstantial evidence.
"When the evidence presented is circumstantial, it must exclude all rational conclusions except guilt in order to be sufficient to convict."
The Tennessee Appeals Court
"However, a conviction may be based entirely on circumstantial evidence where the facts are 'so clearly interwoven and connected that the finger of guilt is pointed unerringly at the Defendant and the Defendant alone.'"
The Louisana Appeals Court
"The rule as to circumstantial evidence is that, assuming every fact to be proved that the evidence tends to prove, in order to convict, it must exclude every reasonable hypothesis of innocence."
ok, hindsight is 20/20 and it's easy to say that someone should have done something differently without having to be in that person's shoes, but i don't see your answer as better.
it started off right, with "you should have blown the whistle." i'd agree with that, and i'd suggest anyone in that position right now --and debating what to do-- take that route. there are whistleblower laws, depending on the circumstances, that will protect someone who turns in an employer for illegal activity.
what you did was illegal. you could have been fined and gone to jail for it, and were counting on your employer's fear of your blackmail to insure they would not prosecute you. the fact that you got away with it does not mean you should advise other people to do the same (and if the statute of limitations hasn't run out you probably shouldn't be posting on slashdot about it, either).
"Mister Potato-head --MISTER POTATO-HEAD! Backdoors are not secrets!" (War Games, 1983)
You're kidding, right? Of course it's possible to be convicted of a crime without a witness. A jury must be convinced beyond a reasonable doubt of the defendant's guilt. That's it. As far as I know, there weren't any witnesses who saw Jeffrey Dahmer kill anyone, but the remains they found in his freezer were pretty convincing evidence. They didn't have much trouble convicting him.
You can't compare traffic court to criminal court.
It's funny how many people I have heard, here and elsewhere, go on and on about distributing wealth! Spread the success! All workers of the world unite!
Funny things is, the world is not equal. Ethics are simply...different in many part of the world. In many countries (and yes I have specific cases, including a certain oil company and Italy...), bribes are more or less standard practice, and you will get nowhere without knowing which palms to grease for permits, licenses, etc.
I'm amazed that anybody is even surprised that this is happening.
There will come a time when U.S. companies wake up and realize that 90% of their intellectual property and 'superiority', trade secrets, proprietary information, and perhaps even personnel and medical data has been shipped overseas for the low, low prices of $3.50 a day.
There is an old saying: You can't delegate responsibility
Who gives a shit about source code? Think about what the code actually does and what this dude actually did. Any piece of code developed overseas has the potential to pipeline the data out directly. It might be something as stupid as a CD burner driver, but there it is running on your system. If you are running M$, as many private practices do, that process is running as root and you are hosed.
Code audit anyone? In the comercial world, forget it. There is no way these companies shipping all their work to India or China will have the competence, much less the time, to check against this kind of malice. Our own firms were the fist to put in spyware, are we surprised that others pull the same trick?
This is just another good reason for people to use free software and only free software. When your software has owners, so does your computer and it's not you.
Friends don't help friends install M$ junk.
If you purchase stock on the US Exchange based on this information, it is insider trading, and you get busted by the Feds for doiing it, if you get caught.
Her telling you information does not break the law. (It could well be a breach of contract, though, leading to termination)
The crime occurs when trades are made or influenced, using that information. The person who profits from inside information is the criminal.
Since the stock for US-listed companies is sold in the US, that's the jurisdiction.
PLEASE, DO NOT WATCH ANYMORE RUSH LIMBAUGH specials. I agree, he is a great stand-up comic and drug-addict (like some others). Some folks, I just can't take as seriously smart (Rush is more like a pseudo-intellectual).
Ollie North is still a pathetic joke.
Dumb Quail will always be a bird-brain.
If you are so shallow as to not understand what/why I write, then don't be so foolish as to reply with a temper tantrum of trained/practiced Rush rhetoric.
I will always remain who I am whether the mod-points are up or down.
HAVE-FUN, try to figure it out, even Don Rumsfeld doubts his own BS or don't you keep up with current and recent events.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I strongly agree, "you cannot generalize that to "most", since new businesses are not, in fact, "most" businesses". That was not my intent. My intent was making an observation from my perspective of current and recent events over the past five years.
... Business (the same) wants to blame and point the fingers for failures at everyone, except themselves.
... just like a doctor or hospital for incompetence and/or dangerous unnecessary procedures.
I do not like liars, there appears to me to be a lack of good ethics in business and government (not all, but far to many) management with blame placed on others.
These days when I hear/see a democratic politician blame a republican politician, I feel I should blame the democrat for the problem. When I hear/see a Republican blame the civil-servants or soldiers for a problem, I feel blame is on the Republican. Corporate CEOs, CFOs,
I now believe management as a privileged class (like in an Aristocracy or Plutocracy) in the USA and EU needs to be held accountable for damages and mistakes
There are always good apples in the basket.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I am of the same belief about CEOs, CFOs, ....
.... It has become the "silver-plated" meal ticket for screw-ups and SNAFUS (in business and government).
.... I mean even the NSA has OSD software subcontracts with mainland China. Important sites in the DC area have been reported in the news as running applications with Trojan-horse spy viruses for months.
...; Therefor, this is my little patriotic part. Since, I have been told I am getting to old to play a young mans game.
Why worry about doing a good job, when a very poorly performed job still provides exceptional financial rewards, no loss of benefits, no penalty
Look at NASA failures and loss of USA prestige in the sciences, FBI failures and a security through obscurity hoax plan, Homeland Defense failures or whoops accidental success,
USA business (some not all) same direction, management has become the stern-hardass joke of conmen and scam-artist without (maybe) any laws broke.
Something needs to be done
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Look into the HIPAA regs.....
Without knowing more about the story, "here here!" to the Pakistani transcriber who, in the face of being ripped off, tried to get his money back.
On the other hand, if I were one of the patients, I'd be pretty pissed off. I dealt with medical records on a brief project twelve years ago (including manually altering the width of a blob notes field.) Such information could be very embarassing. There are some seriously fucked up people out there.
"Has [being a kidnapped teenage girl, raped repeatedly for months] changed you?" - Katie Couric to Elizabeth Smart
I'm surprised the records are not anonymized before they are outsourced. This would prevent both blackmailing and reselling personal information to drug companies. When you take an HIV test, the tube sent to the lab doesn't have to bear your name, just an identification number.
I've been a medical transcriptionist (a transcriber is the machine, a transcriptionist is the person who uses the machine) for the last 10 years. I've worked in private practices, hospitals, and currently work at home for one of the largest health care facilities in my state. I have never liked the idea of sending transcription overseas on many different levels. First, it does jeopardize the security of a patient's confidential medical record. However, that confidentiality could be in jeopardy even if Susie the neighbor had transcribed it, maybe even more so because it's on a more personal level. Second, many people try to say that there is a lack of qualified, educated MTs in the US. That is a bunch of schitt de bulle. There are too many qualified, educated MTs in the US, to the point that they're forced to underbid each other trying to get contracts. Third, the whole cost savings issue is a real thorn in my side. These offshore MTs are charging as low as 3 cents per line whereas the typical American MT can and does charge up to 15 cents a line. That doesn't sound like a whole lot to many, but when you consider that MTs are likely extensively using word expanders, macros, and VR, it's sometimes the equivalent of $30 to $40 an hour when it's a production-based account. Foreign MTs are NOT saving these hospitals, clinics, etc., any money because typically the majority of their work has to be checked and corrected by a quality assurance monitor here in the US. So, in essence, the work of one American MT is being done by one foreign MT and one American QA monitor. Where's the savings in that?? There is a huge issue with HIPAA compliance amongst American MTs. We've had this drilled into our heads for the last 3 years or so; we screw up, we're out of a job. However, the HIPAA laws do not pertain whatsoever to offshore MTs, only to their employers. Is this fair? Absolutely not. Is there anything US MTs can do about it? Absolutely not. The one organization that claims to represent MTs, AAMT (American Association for Medical Transcriptionists) has no stand on offshore transcription. On the other hand, they offer CMT testing and credentialing to foreign MTs. They're also now talking about enforcing some sort of statewide credentialing and testing program throughout the country. In other words, you can live in Michigan but if you work for a company out of Tennessee, you will most likely have to meet licensing standards in both states, also likely to be at the total expense of the MT. Again, this will not pertain to offshore MTs. What is my stance on foreign subcontractors? I don't like it. Until it is made public knowledge to American patients as a whole, instead of snippets in MT forums and geek zines, it's a moot issue. People do not know this is going on, but I betcha if they did, there would be some changes, hopefully for the positive.
I do not like liars, there appears to me to be a lack of good ethics in business and government
I don't like liars either, but that's rather off-topic since no one involved in this was lying.
These days when I hear/see a democratic politician blame a republican politician
Again, off-topic.
[businesses and their executives want] to blame and point the fingers for failures at everyone, except themselves.
And in this case, that would be correct. The business that outsourced their records did not know that the records were being moved overseas, and could not reasonably have expected to know that. There *is* a culprit here, and that culprit is the company that outsourced overseas. The problem is that many other businesses are doing the same, and the government really does not have the resources to investigate this and enforce the law.
The culprit behind that culprit is decades of omni-partisan cutbacks in the areas of privacy and safety enforcement in the federal government. THAT is what should be addressed in the large, and actually has been over the last 5 years or so... it's a slow process, and cases like this will certainly help to keep it going.