Slashdot Mirror

← Back to Stories (view on slashdot.org)

Medical Data on 365,000 Patients Stolen

Posted by CowboyNeal on from the bandwidth-and-station-wagons dept.

Anonymous writes "Backup tapes and disks with data on 365,000 patients were stolen out of the car of a worker at a healthcare company in Portland. According to this Computerworld story, the tapes were in his car because he took them home as part of a disaster recovery plan, to protect the information from fire and other on-site disasters. D'oh!"

8 of 226 comments (clear)

  1. The further story by daeley · · Score: 5, Informative

    From TFA:

    The data on the tapes was encrypted, Walker said. The data on the disks was in a proprietary file format that was not encrypted, but "is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it," he said.

    So not as bad as the summary seemed to indicate, but still not the greatest thing to have happen.

    Especially if that proprietary file format "difficulty" is just the fact that the files are in some old version of Word. ;)

    --
    I watched C-beams glitter in the dark near the Tannhauser gate.
    1. Re:The further story by Anonymous Coward · · Score: 2, Informative

      The only issue I've ever had with getting data off of a tape is finding a tape drive that will read whatever bizarre piece of crap the doctor used or was given by their vendor (I make part of my living reverse engineering doctors' older systems' data files to load into newer systems when they decide to change vendors). Once it's off the tape, you'll find that the vast majority of old applications out there (many run on old unixware servers) used tar to pack up a few datafiles, that are all fixed-width records. Find two patient names, determine the length of the record, and you're halfway there. My job's a bit easier because I can use the doctor's system to look up DOBs and such and figure out how they're stored in the file, but if the system stores the dashes with the SSN number (even if they don't... it's not like theres that many 9 digit numbers associated with your name out there) it's trivial to make the connection.

  2. And that's why... by AltGrendel · · Score: 4, Informative
    ...you get an archive company that picks up the tapes and signs for them. You want a paper trail.

    Oh, and make sure the vault they keep them in is a)real and b) really able to withstand ANY disaster.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

  3. Hard to believe this mistake by Chowser · · Score: 3, Informative

    At my clinic where there is an EHR (Electronic Health Record) there is built in redundancy with multiple servers in different locations. It is hard to believe that a hospital system as big as Providence (which owns hospitals in multiple NW states) could have something as stupid as someone taking home a backup in their car.

    --
    sig here
  4. Re:What's the problem by c_fel · · Score: 1, Informative

    I guess it's a troll, but I'll feed it. The problem is not a lost of data. It is that (very) personal information has been stolen, including names, addresses, social security numbers, photos, diagnotics, x-rays, etc. Now just imagine how easy it could be to steal my identity if I am on these tapes... That matters.

    --
    I hate all sigs, mine included.
  5. Funny you should mention that by PIPBoy3000 · · Score: 2, Informative

    I work for a healthcare organization in the same state as Providence (the number of them is pretty small so you could probably guess). Just last month we were reviewing policies to cover just this contingency.

    Washington law demands that notification occur if there's any chance that the information could be used criminally. Since we too operate in Washington, we're also complying with that law.

    Essentially you must notify each person directly unless the cost of doing so is upwards of a million dollars or so. There's then some contingencies where you can take out ads in major newspapers.

    There's some strange exceptions to the rule. If our hospital accidentally sends clinical information to the wrong insurance provider and it's your normal mix-up rather than a potentially criminal act, that doesn't require notification. It sounds like if it wasn't the case, people would get notified all the time.

    I expect to hear about this tomorrow when we go to work. I work fairly closely with the woman who manages these risks in our organization and she'll likely be hearing all about it. Scary stuff.

  6. Re:just say no to SSN#s by jack_csk · · Score: 2, Informative

    By the way, did you know some insurance companies use SSN as the contract #? Surely things are better after HIPAA comes effective, but then it did happen.

  7. My take... by hahn · · Score: 5, Informative

    Well, finally a Slashdot post I can write about with some experience. FWIW, I'm a physician in Portland and medical informatics is an interest of mine.

    First of all, while it may shock many IT people that hospitals would use such rudimentary forms of backup and with little encryption, you have to understand that the state of IT in the medical world is backwards. Very backwards. There are a variety of reasons for this. One is that information systems are designed by IT people with little to no understanding of how the healthcare system works (which is understandable - many people in healthcare have little understanding of how it works). At the same time, you have healthcare professionals who really don't understand the full potential of how IT can be applied to healthcare or what its limitations are, but at the same time will complain about solutions that the IT world comes up with. There's this chasm between the two worlds and what you end up getting is a solution that no one likes and you end up having to go back to the drawing board over and over and over. It is absolutely amazing how much money gets sunk into medical IT and how very little progress it has made.

    Another reasons includes the vast amounts of red tape in the medical world that are MEANT to prevent lawsuits and provide the best quality healthcare. But there's so much that it what it really ends up doing is bringing any kind of progress or new idea to a grinding halt. There is no industry I can think of which is so ill adapted to making changes even when they're necessary or make sense. The legal world has the medical world frozen in fear of the next litigation. The result is a paradoxical decrease in healthcare quality and increased costs.

    Medical information privacy is one of those issues that seems to always be #1 on the list of concerns of electronic medical records. This has always been rather strange to me. How many people are really all that concerned with someone knowing about their cold, or their broken leg? Most people don't have much they would really care about hiding in their medical records. Of course, there are the people with mental illness, HIV, or sexually transmitted diseases. But even then, what exactly is this thief going to do with that information? IMHO medical information privacy is more of a theoretical concern than a real-life concern.

    And then of course, there's the REAL reason people are considered with medical information being digitized identity theft for money reasons. I really blame the credit card industry for this more than anyone else. It's surprising to me that they could simply issue a credit card if someone just writes down a name, social security number and address. In this day and age with inexpensive biometric security systems, one would think they could require a submission of a fingerprint (or two). Hell, nowadays with branch offices literally EVERYWHERE, they could simply request you come in with your driver's license. It seems to me that it would be in a bank's best financial interests to do something like this.

    Just my $0.02.

    --
    "The only normal people are the ones you don't know very well."