Medical identity theft strikes 5.8% of U.S. adults: Via Network World at Computerworld Privacy News.

Identity thieves are not only interested in tapping financial resources, but are also after your medical identification data and services.

Medical identity theft typically involves stolen insurance card information, or costs related to medical care and equipment given to others using the victim's name. Roughly 5.8% of American adults have been victimized, according to a new survey from The Ponemon Institute. The cost per victim, on average, is $20,160.

Is your health privacy at risk?

"The National Study on Medical Identity Theft" is based on findings from 156,000 people who agreed to discuss identity theft in general. Among those surveyed, 5.8% provided specific details about how they had been hit by medical ID theft, in particular. [ Read more ... ]

Ninth Circuit addresses “actual damages” under the Privacy Act: Via Personal Health Information Privacy blog.

I posted this yesterday to PogoWasRight.org but then it dawned on me today that since this involved medical information, I should have posted it here, too:

A new ruling from the Ninth Circuit in Cooper v. FAA addresses the meaning of “actual damages” in the Privacy Act. The case arose when federal agencies shared information without consent in “Operation Safe Pilot:”

Read Original Article:(Via Personal Health Information Privacy blog.)

Technologists need to step up in privacy debate: Via Tom Mitchell: Computerworld Blogs.

Could a lack of privacy regulations in the U.S. and abusive practices lead to a backlash that negatively affects scientific research for the greater social good? That worries Tom Mitchell, a Carnegie Mellon professor and machine learning researcher, whose profile appears this week in the pages of Computerworld.

As smart phones diligently record people's locations, movements and other activities, machine learning and real time data mining can be used for the greater good. For example, real time positioning and movement data from you smart phone is already being used to track traffic congestion. Soon it could be used to change traffic light patterns in order to optimize traffic flows.

Machine learning algorithms feed on such data to make predictions for good -- or ill. Patient data could be analyzed to inform you that yesterday you came in contact with someone who has a contagious disease. But if you have the disease, do you want that information made public? What about entities that might use machine learning tools to identify you in random groups of photos that you or others have posted on the Web? How about identifying your mother or your child? [ Read more ... ]

A Good Day for Health Privacy: Via CDT.

Today’s Health IT News was focused on the Health IT Policy Committee’s discussions about adding some flexibility to the criteria that health care providers and hospitals will have to meet in order to be “meaningfully using” health IT.  Only “meaningful users” are eligible for to receive federal funds under the stimulus legislation (ARRA) to purchase electronic health records.  

  [ Read more ... ]

Guard Your Health Insurance Card: Via Bucks Blog - NYTimes.com .

You may want to make sure you know where your health insurance card is.

According to a new study, the 2010 Identity Fraud Survey Report, from the research company Javelin Strategy & Research, 7 percent of identity fraud victims this year reported identity thieves stole their health insurance information, up from just 3 percent last year.

So even though the actual total dollar amount of health care identity fraud didn’t increase meaningfully from 2008 to 2009, James Van Dyke, the president and founder of Javelin, said he expected to see more incidences of health insurance identity fraud showing up in next year’s study and beyond. “We’re seeing more criminal access to private medical records in our survey now, and therefore, we expect to see resulting increases in health care fraud in future years’ studies,” Mr. Van Dyke said. [ Read more ... ]

ShmooCon: Inside FarmVille's sinister underbelly: Via Computerworld Security News.

You love Facebook apps like FarmVille and Mafia Wars and think they're perfectly safe, right? Think again.

You see it all the time on Facebook: A friend moving on up in FarmVille. Another friend trying to expand his posse in Mafia Wars. Everyone thinks of them as harmless third-party applications, free from the crooks and cooks of cyberspace.

Unfortunately, that's not the case.

The sad fact is that these applications are susceptible to malware pushers and those looking to steal your personal information. It's not much of a stretch for hackers to impersonate people you think are trusted, fellow players, as is the case with a lot of online gaming. And the more you expose yourself, the bigger the target you become. [ Read more ... ]

Texas to Destroy Baby Blood Taken without Consent: Via CNSNews.com .

Austin, Texas (AP) - Texas health authorities will destroy more than five million blood samples taken from babies without parental consent and stored indefinitely for scientific research.
 
The Texas Department of State Health Services announced Tuesday it would destroy the samples after settling a federal lawsuit filed by the Texas Civil Rights Project. The project, acting on behalf of five plaintiffs, had sued the Texas Department of State Health Services and the Texas A&M University System.
 
The lawsuit alleged that the state's failure to ask parents for permission to store and possibly use the blood - originally collected to screen for birth defects - violated constitutional protections against unlawful search and seizure. The plaintiffs cited fears their children's private health data could be misused. [ Read more ... ]

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit: Via Security, Privacy and The Law Published by Foley Hoag LLP.

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach. [ Read more ... ]

Children's hospital lost data on 1m patients: Via IT Law in Ireland.

In a follow up to his excellent story about Temple Street Children's Hospital storing DNA samples of over 1.5 million people without any legal basis, Mark Tighe has a piece in today's Sunday Times revealing that the hospital also lost two servers full of information about patients in 2007:

Two computer servers containing the records of almost 1m patients were stolen from the Children’s University hospital in Temple Street in 2007 and have never been recovered.

The data were far more than that lost on stolen bank laptops in recent years. The theft was investigated by the data protection commissioner (DPC) and the gardai after being reported by the Dublin hospital in February 2007. The organisations had decided that there was no need to inform the public, believing there was little chance of the thief being able to access the data.

Patients’ details, including names, date of birth and reason for admission are thought to have been included.

Interestingly, there's no mention of the servers having been encrypted, making it unclear on what basis it was decided that the data couldn't be accessed. [ Read more ... ]

Medical breakthrough: VA, Kaiser to share records: Via SignOnSanDiego.com.

Kaiser Permanente and the U.S. Department of Veterans Affairs today will launch an electronic medical-data exchange program in San Diego that could become the seed for the much touted but equally elusive national health records system.

The collaboration, which will be detailed at a news conference in La Jolla, marks the first time a computerized patient-records system operated by a federal agency has been linked to one operated by a private organization.

Under the new partnership, Kaiser and VA doctors in San Diego County will gain instant access to certain files from both institutions for about 1,000 patients who receive care from both providers.

The U.S. Department of Defense, which uses a separate set of electronic records, will join the program in a few months, Kaiser and VA officials said. [ Read more ... ]

Passing a Data Privacy Bill (NYT Letter to the Editor): Via NYT > Privacy (NYT Letter to the Editor).

To the Editor:

I know that the kind of protection you advocated in “Keeping Personal Data Private” (editorial, Nov. 25) is needed, in part because my own medical history became an open book after somebody took a laptop from the car trunk of a National Institutes of Health employee. [ Read more ... ]

Health Insurer Loses 1.5 Million Patient Records: Via Threat Level.

A health insurer lost 1.5 million patient records last May but waited six months to disclose the incident.

The data, which was stored on a portable disk drive that disappeared from the insurer’s office, was unencrypted and included patient Social Security numbers, bank account numbers and health data, according to the Hartford Courant. The disk also contained personal information on at least 5,000 physicians.

Health Net discovered the loss in May but never informed patients, law enforcement or government entities, despite data breach laws in some states that require data spillers to notify victims and state officials when residents are affected by a breach. The insurer finally sent a letter to Connecticut’s attorney general and the state’s Department of Insurance this week. [ Read more ... ]

Uses of Medical Histories Are Curtailed Under a New Law: Via NYTimes.com .

The most important new antidiscrimination law in two decades — the Genetic Information Nondiscrimination Act — will take effect in the nation’s workplaces next weekend, prohibiting employers from requesting genetic testing or considering someone’s genetic background in hiring, firing or promotions.

The act also prohibits health insurers and group plans from requiring such testing or using genetic information — like a family history of heart disease — to deny coverage or set premiums or deductibles.

“It doesn’t matter who’s asking for genetic information, if it’s the employer or the insurer, the point is you can’t ask for it,” said John C. Stivarius Jr., a trial lawyer based in Atlanta who advises businesses about the new law. [ Read more ... ]

The Key to Health IT’s Success: A Comprehensive Privacy and Security Framework: Via American Constitution Society's Blog.

Health information technology ("health IT") has been widely recognized as an essential tool in achieving a number of health care reform goals, including improving health care quality, reducing costs, increasing efficiency, and boosting consumer participation in their own health care. But without strong privacy and security protections in place, the risk of electronic health data falling into the wrong hands and being used for inappropriate purposes is amplified.

Survey data shows that the public is cognizant of both the benefits and risks of health IT. A large majority of consumers would like electronic access to their health data (for themselves and their providers), but are still concerned about the privacy of their data. [ Read more ... ]

Massive Gene Database Planned in California: Via MIT's Technology Review.

The data will be compared against electronic health records and patients' personal information.

Plans for genetic analyses of 100,000 older Californians--the first time genetic data will be generated for such a large and diverse group--will accelerate research into environmental and genetic causes of disease, researchers say.

"This is a force multiplier with respect to genome-wide association studies," says Cathy Schaefer, a research scientist at Kaiser Permanente, a health-care provider based in Oakland, CA, whose patients will be involved. Researchers will be able to study the data and seek insights into the interplay between genes, the environment, and disease, thanks to access to detailed electronic health records, patient surveys, and even records of environmental conditions where the patients live and work.

"The importance of this project is that it will, almost overnight--well, in two years--produce a very large amount of genetic and phenotypic data that a large number of investigators and scientists can begin asking questions of, rather than having to gather data first," Schaefer says. [ Read more ... ]

Medical Records: Stored in the Cloud, Sold on the Open Market: Via Threat Level.

When patients visit a physician or hospital, they know that anyone involved in providing their health care can lawfully access their medical records.

But unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.

The revelation comes in a recent New York Times article about how so-called “scrubbed” patient data isn’t as anonymous as people think. The piece focuses primarily on how anonymized data can be easily de-anonymized when cross-bred with other publicly available databases, such as voting records. But buried near the end of the article is the news that medical data is collected, anonymized and sold, not by insurance agencies and health-care providers, but by third party vendors who provide medical record storage in the cloud. [ Read more ... ]

Proposed Rule Implements the Genetic Information Nondiscrimination Act: Via CDT - PolicyBeta.

On October 1st, the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) issued a Proposed Rule with respect to the Genetic Information Nondiscrimination Act (GINA), a federal law passed in May 2008 that protects individuals against discrimination in health care coverage and employment based on genetic information. Many states already have similar laws in place, but GINA provides a new federal baseline level of protection against genetic discrimination in health care coverage and employment.

The proposed rule attempts to implement new privacy and confidentiality protections in Title I of GINA, which deals with nondiscrimination in health care coverage, and makes changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. [ Read more ... ]

Med Students on Twitter, Facebook: No Patient Privacy?: Via TIME.

Personal profiles on Facebook and other social-networking sites are a trove of inappropriate and embarrassing photographs and discomfiting breaches of confidentiality. You might expect that from your friends and even some colleagues — but what about your doctor?

A new survey of medical-school deans finds that unprofessional conduct on blogs and social-networking sites is common among medical students. [ Read more ... ]

US healthcare data plan slammed for encryption get-out clause: Via The Register(UK).

New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption.

As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches.

More specifically (as explained here - PDF) only HIPAA-covered healthcare providers and health plans that omit the use of encryption or information destruction will be obliged to notify individuals about a breach of their personal health information. [ Read more ... ]

HHS’ New Harm Standard for Breach Notification: Via CDT - PolicyBeta.

In late August, the Dept. of Health and Human Services (HHS) released an interim final rule on health data breach notification. Through the rule, HHS establishes data security standards that HHS believes are strong enough to eliminate the need to notify consumers of a data breach. That is, if a health care entity applies one of these security processes to its data, and then that data is lost or otherwise breached, the entity does not have to inform patients. Some of the rule’s security processes are quite good, such as strong encryption standards. Unfortunately, however, HHS packed an overly broad and unreliable standard in with the good ones: the “harm standard.”

(CDT had issued comments to the HHS rulemaking in May 09. For more information about the interim final rule and CDT’s comments, please see our earlier blog post.) [ Read more ... ]

"Anonymized" data really isn't—and here's why not: Via Ars Technica.

Companies continue to store and sometimes release vast databases of "anonymized" information about users. But, as Netflix, AOL, and the State of Massachusetts have learned, "anonymized" data can often be cracked in surprising ways, revealing the hidden secrets each of us are assembling in online "databases of ruin."

The Massachusetts Group Insurance Commission had a bright idea back in the mid-1990s—it decided to release "anonymized" data on state employees that showed every single hospital visit. [ Read more ... ]

Is your health privacy at risk?: Via Network World.

Hospitals, pharmacies and health insurance companies are among the hardest hit when it comes to hacker attacks, stolen laptops, spying employees and other information security mishaps.

Healthcare organizations are losing more than just names, addresses and Social Security numbers. When their data gets stolen, patients lose the privacy of their medical conditions, treatments and medications while at the same time falling prey to identity theft, medical billing fraud and other criminal schemes.

Theft of electronic medical records is on the rise, and the implications are getting more serious. [ Read more ... ]

Some Privacy Recommendations for Google Book Search: Via CDT - PolicyBeta.

CDT has released our analysis of the privacy implications of the settlement in the Google Book Search lawsuit, which includes a detailed set of privacy recommendations for Google to consider as the service is developed.

As David Sohn initially wrote in October, CDT believes the settlement has a lot to offer the reading public, namely dramatically expanding access to the millions of books Google has scanned and indexed. Such a shift, though, does not come without concerns, particularly with respect to traditional the library values of patron privacy and intellectual freedom. With the release of today’s report, CDT joins our colleagues at the EFF, the ACLU, and UC–Berkeley’s Samuelson Law, Technology, and Public Policy Clinic, in calling for strong privacy protections in the expanded service. [ Read more ... ]

What is PII? How About Groups Of Otherwise Non-PII?: Via Realtime IT Compliance.

I want to continue my look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such...

A topic that is important and interesting to think about is how non-PII items, when combined with certain other non-PII items, can actually become PII. In other words, aggregating non-PII to form PII. In case that sounds fuzzy, think about it, very simplistically, this way...

Consider a zip code, first name, and birth year.

If you look at each of these separately, it would be hard to say you can link each of them to a specific individual. However, if you look at the three items in combination, you could very well be able to identify a specific individual. [ Read more ... ]

9th Circuit Fills Prescription for Religious Refusals at the Pharmacy: Via Blog of Rights: Official Blog of the American Civil Liberties Union.

(Originally posted at RH Reality Check.)

Last week, the U.S. Court of Appeals for the 9th Circuit lifted the injunction (PDF) on the Washington State pharmacy rules that protect a patient’s right to access medication without discrimination or delay. This is good news for the millions of women seeking to purchase contraception at pharmacies.

Across the country, we hear stories of individual pharmacists and pharmacies refusing to fill prescriptions based on a religious objection. Many times these stories come from patients trying to fill prescriptions for birth control, including emergency contraception.

Because the ACLU is committed to the health care needs of patients and the religious freedom of individual pharmacy employees, we advocate for solutions that protect both. [ Read more ... ]