Personal Health Info of 300,000 Californians Floated Around the Internet

By now we all know the advantages of electronic health records (EHRs). A specialist can, almost instantly, refer to your doctor’s notes. If you’re brought unconscious into the emergency room, physicians won’t have to guess if you’re in a diabetic coma. And probably, best of all, they cut costs and errors and reduce bureaucracy. At least, they’re supposed to.

But think about this: to accomplish such transparency, your medical files must contain your health information, social security number, insurance forms and other kinds of confidential information. And anyone who can hack into a nation’s security network can easily get into that information. Or anyone with a computer, in the case of nearly 300,000 Californians.

According to a story by Jordan Robertson at news.yahoo.com, a medical and legal firm entered patients’ data into its computer system, not realizing it was unsecured, and unintentionally, made it available to anyone with a computer, not just the employees using it.

Robertson wrote that, though EHRs can decrease medical errors, reduce costs and even save lives, they also are ripe for fraud. This incident, Robertson reported, shows the privacy risks inherent in the new EHR health care reform directive that requires that every “American's sensitive medical information” be turned into EHRs.

While EHRs can lower costs, cut bureaucracy and ultimately save lives, Robertson noted, there is an inherent danger in having such personal information available online. Hackers are even getting into medical devices like insulin pumps and altering readouts that could affect patients’ outcomes.

“When things go wrong, they can really go wrong,” Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches, tells Robertson. “Even the most well-designed systems are not safe…This case is a good example of how the human element is the weakest link.”

Even government officials are not immune to this kind of problem. Former UK prime minister Gordon Brown had his infant son’s medical records exposed (the child has cystic fibrosis), according to The Telegraph.

The weak link in the California case was Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, according to Robertson’s story. Their mistake? Putting the records on a website that it believed only employees could use, owner Joel Hecht told Robertson.

The data were “available to anyone in the world with half a brain and access to Google,” Aaron Titus, a researcher with Identity Finder, who discovered the data leak, tells Robertson.

According to Titus, Robertson writes, the company should have required a password for access to the information and instructed search engines not to index the pages.  Titus tells Robertson the breach is what he called “likely a case of felony stupidity.”

When mistakes like this occur, the consequences can be more severe than the more common breach of email addresses or credit card numbers, according to the story. “In the wrong hands, health records can be used for blackmail and public humiliation. The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants,” Robertson writes.

But it’s not all going unnoticed. Two members of Congress last week asked the Government Accountability Office to investigate whether medical devices employing wireless technology are safe.

Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO West 2011, taking place Sept. 13-15, 2011, in Austin, Texas. ITEXPO offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. To register, click here.