Another Electronic Medical Record (EMR/EHR) Data Hack

I have harped on the topics of the potentially disastrous consequences of data loss or theft from medical health database repositories for some time now. I have personally been the victim of such a data loss by the Veteran's Health Administration, which lost all my provider information, financial account and license numbers, social security and business banking numbers, addresses, and all the other personal information to make identity theft a breeze.

Nothing awful happened as a result of this loss. I was given a year's free three bureau credit monitoring subscription by the VHA. It is my personal belief that one of their less experienced employees or interns had simply carried the information for a service provider demographic study offsite on a thumb drive to work on it at home and lost it. Since that time I was again given a free year of credit monitoring when a bank lost a wee bit of data about its customers (around 3 million, as I recall.) I've reported concerns about the National Health Database activity here and elsewhere on other occasions, stating the obvious qualification I would have to make to clients, were I still in active practice and following the privacy and confidentiality rules set forth by the HIPAA act. "I promise that I will keep your health information private and confidential, but there are about 173 other people and agencies out there that may have access to it that I can't vouch for."

A nascent occurrence of that dark vision of the future was announced very recently by many Internet and Traditional Media sources. The web site Office of Inadequate Security (databreaches.net) along with many other sources (I heard just enough of a sentence on CNN to immediately send me into search mode) reported a major health data theft from the Virginia Department of Health Professions. An article in the Richmond Times-Dispatch on 1 May 2009 reported that "Hackers may have gotten to Virginia health professions computers."

It was a little more serious than "may have" if the hacker's ransom demand, reproduced below, is to be believed:

"Thomas Claburn of InformationWeek reports:

An extortion demand posted on WikiLeaks seeks $10 million to return over 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions.

The note reads: ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

Read more on InformationWeek."

At this point, I will simply leave this example for your contemplation. Consider exactly what identifying information would have been required to be on these records in order for them to be of use to legitimate health care professionals, insurance carriers, Federal and State agencies, pharmacies, data processing centers, and others (including you) who have legitimate access to them. What would be the many possible negative consequences of having these records in the hands of those who do not have our best interests in mind.

Peace, Doc

Copyright © 2009, Thomas A. Blood, Ph.D.

"Like sex in Victorian England, the reality of Big Business today is our big dirty secret." - Ralph Nader

Technorati Tags: data security,hacking,extortion,EMR,EHR,gullibility