Computerworld is reporting that “the theft of a computer from the office of an Ohio-based health care contractor on Nov. 23 has exposed sensitive data belonging to tens of thousands of patients in five health care firms across five states.” They add that “the compromised data includes the names, addresses, medical record numbers, diagnoses, treatment information and Social Security numbers of the patients.”
One under-recognized problem with our complex health care system is that information has to be shared by many parties. Here are a few of them: health care providers, insurance companies, bill processing vendors, data analysis/reporting services, utilization management companies, and specialty vendors (e.g. psychiatic care management services).
This creates a proliferation of personal data across a series of computer systems, amplifying the risk for theft or accidental loss of personal data. In many cases thieves are only interested in stealing the hardware, but wind up with personal information on their hands.
The Privacy Rights Clearinghouse tracks the loss of personal data, much of which involves health and insurance information. In one well-known case, a laptop belonging to Marsh CS Stars disappeared with information on over 200,000 insurance claimants . In another, a data entry person in India stole personal claims data and used it in an attempt to force her employer’s U.S. client to reimburse her money she felt she was owed. Hospitals and health care companies have also been affected.
Other incidents of health or insurance data breached involved the California Department of Health Services, Christus St. Joseph Hospital, University of Florida Health Sciences Center, Ohio State University Medical Center, University of Tennesee Medical Center, and Keck School of Medicine at USC.And that’s just for one year.
These incidents will continue. For legal reasons, players in the health & insurance arena will need to demonstrate that they made serious efforts (under the “prudent person” principle) to protect personal data. Insurers who provide E&O and other coverage may also want to review their underwriting practices, particularly regarding the storage of personal information on laptops that are more easily misplaced or stolen.
That’s a form of ‘insurance portability’ that nobody needs.