Friends and Family Breach Patient Privacy, Not Estonian Hackers

Monday, September 17, 2012

Danny Lieberman

959779642e6e758563e80b5d83150a9f

A 2011 HIPAA patient privacy violation in Canada, where an imaging technician accessed the medical records of her ex-husband’s girlfriend is illustrative of unauthorized disclosure of patient information by authorized people.

Data leakage of ePHI (electronic protected health information) in hospitals is rampant simply because a) there is a lot of it floating around and b) because of human nature.

Humans being are naturally curious, sometimes vindictive and always worried when it comes to the health condition of friends and family. Being human, they will bend rules to get information and in the course of bending rules, breach patient privacy.

The right to patient privacy

The Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients’ right to confidentiality and HIPAA’s Privacy Rule grants federal protections for patients’ personal health information held by covered entities and gives patients rights regarding that information.

What is ePHI?

The Department of Health and Human Services defines ePHI as a combination of personal identifiers and clinical data in order to protect patient privacy.

Electronic Protected health information (ePHI) is any information in an electronic medical record (EMR) that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

This includes names, geographical locations, dates of birth etc, phone numbers, email, social security numbers, medical record numbers, license plate numbers, driver license number, biometrics.

Basically any combination of personal identifiers that can be used to steal a persons identity, when combined with EMR data becomes ePHI.

HIPAA risk and compliance assessments that we’ve been involved with at hospitals in Israel, the US and Australia reveal that most patient privacy breaches are not perpetrated by hackers but by friends and family seeking information or insurance companies seeking to validate claims.

Social engineering methods are often employed with or without a “sweetener” and do not need to rely on exploiting software security vulnerabilities in order to breach patient privacy.

(Courtesy of my friend Alan Norquist from Veriphyr)

Information and Privacy Commissioner Ann Cavoukian ordered a Hospital in Ottawa to tighten rules on electronic personal health information (ePHI) due to the hospital’s failure to comply with the Personal Health Information Protection Act (PHIPA).

“The actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective.” – Information and Privacy Commissioner Ann Cavoukian

The problem began when one of the hospital’s diagnostic imaging technologists accessed the medical records of her ex-husband’s girlfriend. At the time of the snooping, the girlfriend was at the hospital being treated for a miscarriage.

Commissioner Cavoukian faulted the hospital for:

  • Failing to inform the victim of any disciplinary action against the perpetrator
  • Not reporting the breach to the appropriate professional regulatory college
  • Not following up with an investigation to determine if policy changes were required.

“The aggrieved individual has the right to a complete accounting of what has occurred. In many cases, the aggrieved parties will not find closure … unless all the details of the investigation have been disclosed.” – Information and Privacy Commissioner Ann Cavoukian

It was not the hospital but the victim who instigated an investigation. The hospital determined that the diagnostic imaging technologists had accessed the victim’s medical files six times over 10 months.

The information inappropriately accessed included “doctors’ and nurses’ notes and reports, diagnostic imaging, laboratory results, the health number of the complainant, contact details … and scheduled medical appointments.” – Information and Privacy Commissioner Report

Source:

(a) Privacy czar orders Ottawa Hospital to tighten rules on personal information - Ottawa Citizen, January, 2011

Cross-posted from Pathcare

Possibly Related Articles:
7995
HIPAA
Healthcare Provider
Data Leakage HIPAA Privacy Compliance Healthcare Personally Identifiable Information Ethics EMR
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.