Health care practices and UCSF patient records exposed
Technorati Tag: Security Breach
Date Reported:
5/1/08
Organization:
University of California
Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.
Victims:
Patients
Number Affected:
6,313
Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"
Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"
Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release
Report Credit:
Elizabeth Fernandez, San Francisco Chronicle
Response:
From the online sources cited above:
Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.
The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.
Some patient medical record numbers and the names of the patients' physicians also were available online.
The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.
Sensitive information can be used by employers, health insurers and other entities to discriminate
thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word.
"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum
"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this. Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.
Hospital officials say there's no indication of identity theft to date.
UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.
Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it? You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays). If you are a deemed a good donor candidate, you get emails and letters that you never signed up for. The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money. Personally, I would be more willing to donate if an organization were straight with me.
The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."
Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.
Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either. Sweep it under the rug and maybe it will go away?
The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.
Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.
"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."
Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.
Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is. The true motive?
"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.
After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.
While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.
"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.
Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen. Insurance companies are not in business to help people, they are in business to make money. They want to identify as many pre-existing conditions as possible.
UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation. HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.
"Steps have been taken to reinforce this practice,"
[Evan] Like what? Are "steps" enough?
For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.
"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.
"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives. One of the best from what I read.
UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.
UCSF continually modifies systems and practices to enhance the security of patient information.
Commentary:
Hmm. I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,". There is not much discussion surrounding the details of the actual breach itself. I have also read concern of the length of time it took before patients were notified.
From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me.
There are no apologies made by UCSF or Target America for the breach.
Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach
Date Reported:5/1/08
Organization:
University of California
Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.
Victims:
Patients
Number Affected:
6,313
Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"
Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"
Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release
Report Credit:
Elizabeth Fernandez, San Francisco Chronicle
Response:
From the online sources cited above:
Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.
The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.
Some patient medical record numbers and the names of the patients' physicians also were available online.
The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.
Sensitive information can be used by employers, health insurers and other entities to discriminate
thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word.
"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum
"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this. Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.
Hospital officials say there's no indication of identity theft to date.
UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.
Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it? You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays). If you are a deemed a good donor candidate, you get emails and letters that you never signed up for. The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money. Personally, I would be more willing to donate if an organization were straight with me.
The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."
Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.
Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either. Sweep it under the rug and maybe it will go away?
The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.
Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.
"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."
Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.
Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is. The true motive?
"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.
After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.
While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.
"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.
Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen. Insurance companies are not in business to help people, they are in business to make money. They want to identify as many pre-existing conditions as possible.
UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation. HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.
"Steps have been taken to reinforce this practice,"
[Evan] Like what? Are "steps" enough?
For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.
"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.
"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives. One of the best from what I read.
UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.
UCSF continually modifies systems and practices to enhance the security of patient information.
Commentary:
Hmm. I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,". There is not much discussion surrounding the details of the actual breach itself. I have also read concern of the length of time it took before patients were notified.
From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me.
There are no apologies made by UCSF or Target America for the breach.
Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach
Posted by Evan Francen at 5/7/2008 2:16 PM 
Categories: Poor Business Practice, University of California
Categories: Poor Business Practice, University of California
Posts Atom 1.0
Comments