Cavalier attitude about patient privacy is not acceptable

As an attorney and the editor of the HIPAA Answer Book, I found it particularly unsettling to read about the attempted blackmail by hackers who stole and encrypted the electronic health records of Surgeons of Lake County, a small medical practice, and held the data for ransom.

But it turns out that this is not an isolated incident. As reported by Bloomberg, medical data blackmail has occurred before, most notably against Express Scripts, which also dealt with a hacker-extortionist, and UC San Francisco Medical Center, whose offshore subcontractor threatened to expose patient information during a payment dispute.

Attorney Elizabeth Litten with Fox Rothschild in Princeton, N.J., told me just last week that one of her medical group clients also had been the victim of a hacker that shut down its EHR system and held the information for ransom. IT experts had been able to restore some, but not all of the data.

Not only do these patients--and their providers--need to worry about breach of confidentiality and potential identity theft, but they also need to worry about issues regarding patient safety. If the clinicians can't access the EHR, patient care can be compromised. Plus, it gives credence to those who are concerned that EHRs do not adequately protect patient privacy. The cavalier attitude of these extortionists is just incredible.

But at least these providers were innocent victims. It's really inexcusable when those in the industry who should know better--and are subject to HIPAA--take a similar cavalier attitude. 

Take a look at Eric McNeal, who in April 2010 hacked into the computer of his former employer, a perinatal medical practice, stole its patient information, and then erased the information from the database. Afterward, he used the stolen information to launch a direct marketing campaign on behalf of his new employer, another perinatal practice located in the same building. McNeal was sentenced to 13 months in prison plus community service earlier this year. One must assume that at least one of the medical groups had required him to undergo training in HIPAA.

Obviously he didn't care too much about the babies.

Researcher Huping Zhou, meanwhile, decided to go snooping into employer UCLA Healthcare System's EHRs when the health system informed him that he was being terminated from employment in 2003. Zhou accessed more than 300 records, including those of Tom Hanks and his supervisor. He was sentenced to four months in prison and incurred fines.

My personal favorite: I recently was contacted by the public relations representative of a Stanford University medical student who wanted me to write an article on how HIPAA was impeding his social life because he wasn't allowed to post patient information on Facebook or other social media.

I kid you not.

Evidently he and other medical students were creating secret identities to bypass HIPAA. None of these kids should be in medical school.

HIPAA enforcement should be harshest against these perpetrators. It's hard enough to comply with HIPAA; it's really bad when those who should know better don't seem to care. - Marla