Note: There is a maximum of 200 words per comment. If you wish to post more, please visit our forum.
Loss of medical records prompts criticism
Saturday, January 28, 2006 | No comments posted.
PORTLAND (AP) - The theft of 365,000 medical files on Oregon and Washington patients has brought calls for tighter controls on businesses that handle personal data and for penalties on those that fail to safeguard privacy.
Providence Health System waited until Wednesday to notify the patients whose medical records had been stolen from an employee's car in Milwaukie on Dec. 31. Certain home services employees routinely took home the digital files containing copies of patients' records for emergency backup.
Security advocates and legal authorities questioned the at-home storage practice, the lack of the files' computer encryption and the time it took Providence to report the breach.
“There are some serious questions here,” said Jan Margosian, a spokeswoman for Attorney General Hardy Myers. “It is very reasonable for you to expect that your medical records will be kept safe and secure. That doesn't appear to be what happened.”
Providence's hot line dedicated to the privacy lapse got more than 1,000 calls Thursday, and patients with complaints kept phones ringing all day at the attorney general's office.
Robin Ross, 60, a retired systems analyst in Beaverton, learned Thursday his records were lost and began trying to lodge a complaint with federal authorities.
“I am just stunned,” he said. “Why didn't I get some kind of report on Jan. 2? Why weren't they calling us right away? It just doesn't make sense.”
Ross said an identity theft alert service warned him on Jan. 7 that someone had tried to reassign his phone number. Ross said the two events might be unrelated, but he said, “The timing is definitely suspicious.”
He said he called credit-rating agencies to stop anyone from using his identity to open a bank account or obtain credit cards.
Rick Cagen, regional chief executive for Providence Health System, said the company needed the time to identify each of the patients whose records were stolen and to prepare to help them.
“We wanted to do it right,” Cagen said.
Unlike California, Washington and at least 21 other states, Oregon has no law requiring companies to report privacy lapses. Last year, a security-breach bill in the Legislature failed to overcome resistance from industry groups.
Because some affected patients live in Washington, Providence officials were obligated under a Washington law to inform patients of the theft “in the most expedient time possible and without unreasonable delay.”
U.S. Rep. Darlene Hooley of Oregon said she hopes to pass national standards this year. Her bill would require reporting to consumers and would let them freeze access to their credit reports to block identity thieves, as the Washington state law allows.
Security experts and privacy advocates said storing backup copies at home might have been defensible if the records were protected by sturdy encryption.
“If it is encrypted, then it's almost impossible for crooks to use,” said Jim Hudson, co-founder of Amcrin Corp., a security firm in West Linn that specializes in fraud protection. “Today, I cannot imagine any health care institution that is not using encryption.”
Hudson said identity thieves prize the rich detail in medical records. In addition to addresses and Social Security numbers, they may include data such as names and addresses of relatives to help criminals create a false identity.
“The low-level car prowler can sell it to someone, who is going to sell it to someone else, and eventually someone is going to buy those tapes who has the ability to use the information,” Hudson said.
As of Thursday, state and local law enforcement agencies had received no new tips or reports of identity theft related to the stolen medical records.
---
Information from: The Oregonian, http://www.oregonlive.com
Providence Health System waited until Wednesday to notify the patients whose medical records had been stolen from an employee's car in Milwaukie on Dec. 31. Certain home services employees routinely took home the digital files containing copies of patients' records for emergency backup.
Security advocates and legal authorities questioned the at-home storage practice, the lack of the files' computer encryption and the time it took Providence to report the breach.
“There are some serious questions here,” said Jan Margosian, a spokeswoman for Attorney General Hardy Myers. “It is very reasonable for you to expect that your medical records will be kept safe and secure. That doesn't appear to be what happened.”
Providence's hot line dedicated to the privacy lapse got more than 1,000 calls Thursday, and patients with complaints kept phones ringing all day at the attorney general's office.
Robin Ross, 60, a retired systems analyst in Beaverton, learned Thursday his records were lost and began trying to lodge a complaint with federal authorities.
“I am just stunned,” he said. “Why didn't I get some kind of report on Jan. 2? Why weren't they calling us right away? It just doesn't make sense.”
Ross said an identity theft alert service warned him on Jan. 7 that someone had tried to reassign his phone number. Ross said the two events might be unrelated, but he said, “The timing is definitely suspicious.”
He said he called credit-rating agencies to stop anyone from using his identity to open a bank account or obtain credit cards.
Rick Cagen, regional chief executive for Providence Health System, said the company needed the time to identify each of the patients whose records were stolen and to prepare to help them.
“We wanted to do it right,” Cagen said.
Unlike California, Washington and at least 21 other states, Oregon has no law requiring companies to report privacy lapses. Last year, a security-breach bill in the Legislature failed to overcome resistance from industry groups.
Because some affected patients live in Washington, Providence officials were obligated under a Washington law to inform patients of the theft “in the most expedient time possible and without unreasonable delay.”
U.S. Rep. Darlene Hooley of Oregon said she hopes to pass national standards this year. Her bill would require reporting to consumers and would let them freeze access to their credit reports to block identity thieves, as the Washington state law allows.
Security experts and privacy advocates said storing backup copies at home might have been defensible if the records were protected by sturdy encryption.
“If it is encrypted, then it's almost impossible for crooks to use,” said Jim Hudson, co-founder of Amcrin Corp., a security firm in West Linn that specializes in fraud protection. “Today, I cannot imagine any health care institution that is not using encryption.”
Hudson said identity thieves prize the rich detail in medical records. In addition to addresses and Social Security numbers, they may include data such as names and addresses of relatives to help criminals create a false identity.
“The low-level car prowler can sell it to someone, who is going to sell it to someone else, and eventually someone is going to buy those tapes who has the ability to use the information,” Hudson said.
As of Thursday, state and local law enforcement agencies had received no new tips or reports of identity theft related to the stolen medical records.
---
Information from: The Oregonian, http://www.oregonlive.com
The comments below are from users of theworldlink.com and do not necessarily represent the views of The World or Lee Enterprises. Participation Guidelines
Note: There is a maximum of 200 words per comment. If you wish to post more, please visit our forum.
Note: There is a maximum of 200 words per comment. If you wish to post more, please visit our forum.
Not already registered?
The World welcomes your comments about stories, and we encourage a robust dialogue on this site. All comments must meet reasonable standards of decency and civility.
Please follow these basic rules:
- No defamatory comments about individuals or businesses.
- No deliberately false information.
- No obscenity or racially offensive language.
- No harassment, verbal abuse, threats or personal attacks.
- No information that invades another person's privacy.
- No business solicitations or charitable solicitations.
Comments that violate these standards will not be posted. Users with repeated violations may be banned from future posting.Comments will be approved throughout the day during business hours. After hours and weekend comments may not appear until the following business day. It may take a couple of hours before comments are approved.
The World generally does not edit comments, but we reserve the right to edit any comment that does not meet our standards.
Close Guidelines