Medical Information from 20,000 Patients Posted Online

By ThinkReliability Staff

Unfortunately, privacy of health records has become an increasingly frustrating issue.  The Department of Health and Human Services revealed that records for 11 million people were potentially made public for over two years.  A recent medical records privacy breach has made the news for the length of time the records were publicly exposed.

A hospital in California recently notified 20,000 patients that their data had been published on a commercial website from September 9, 2010 to August 23, 2011.  The published data was discovered by a patient and had been used to demonstrate the use of turning data into a bar graph.  This particular data had been given to an outside contractor for billing purposes. Although it did not contain information usually used for identity theft – such as social security numbers, it did include names and diagnosis codes, meaning that extremely personal information was included.

We can examine this issue in a Cause Map, or visual root cause analysis.  A Cause Map begins with the impacts to an organization’s goals and uses the principles of cause-and-effect to examine the causes that contributed to these impacts.  Any breach of patient privacy can be considered an impact to the patient services goals.  In fact, health care organizations may choose to add a new goal category of “Patient Privacy”.  (This is shown on the  downloadable PDF.  To view, click “Download PDF” above.)  In addition to the impacted patient services and patient privacy goals, the hospital was fined $250,000 (the maximum) by the California Department of Public Health and provided identity protection services to the affected patients.  Given the astonishingly large numbers of medical records accidentally made public, this is an issue to which all healthcare facilities should be paying attention.

The exact method that the data made it onto a public website (which provided homework assistance) is not known, but the data had been provided to an outside contractor used for billing purposes.  The contractor is no longer being used by the hospital, and some privacy experts say that better confidentiality agreements are needed by hospitals who provide patient information to outside contractors.  What is particularly disturbing about this case is that the data remained online for nearly a year – and was discovered by a patient.  However, there does not seem to be a practical way for individual organizations to monitor the internet for misplaced patient data.  Instead, focus should be on ensuring better protection upfront for medical data, in an attempt to limit breaches of patient privacy.

To view the Outline and Cause Map, please click “Download PDF” above.  Or view the New York Times article to learn more.