By Karen Pallarito
WESTPORT, Aug 11 (Reuters Health) - Confidential patient information recently slipped into the wrong hands in separate incidents involving one of the nation's largest managed-care providers and a renowned Boston cancer center.
Kaiser Permanente, which serves 8 million members in 11 states and the District of Columbia, is current studying how private data on 858 members ended up in e-mail messages sent to 19 individuals across the country.
Meanwhile, Dana-Farber Cancer Institute in Boston began notifying patients this week that personal information, such as names and Social Security numbers, may have been stolen from the hospital's computerized administrative records.
The incidents underscore the need for increased vigilance by providers and health plans, experts say. In each case, tighter systems or security checks might have prevented potentially embarrassing or intrusive breaches of personal information.
"Once somebody's confidentiality is violated, you can't undo it," Dr. Michael Rozen, vice president of consumer affairs and director of health record security for WellMed Inc., told Reuters Health. Rozen is a spokesman for Hi-Ethics, a coalition of Internet health sites and content providers dedicated to ensuring the privacy of patient information.
The troubles experienced by Kaiser and Dana-Farber are policy and procedure problems, not technical problems, Dr. Rozen asserted. He said that they illustrate the need for healthcare organizations to have compliance officers or specialists to ensure that identifiable patient information is kept private.
Beverly Hayon, a spokeswoman for Oakland, California-based Kaiser, said that the August 2nd e-mail snafu occurred amid a systems upgrade of the health plan's online member service. The e-mail messages contained information involving mostly routine matters, such as requests for appointments and inquiries for lab results, Hayon said. But they also contained personal information, including names, addresses, medical record numbers, and, in some instances, sensitive information, she acknowledged.
Because of a "technical glitch" involving systems, programming and human error, the information was inadvertently sent to 19 e-mail addresses around the country. The vast majority of those messages were never read or were deleted immediately after being opened, Hayon said. "Nonetheless, we did accidentally send people's confidential information and personal e-mails to someone else."
Kaiser has called all 858 members to apologize and explain what it is doing to correct the problem. Most people have been very understanding, Hayon said, although some are not surprisingly very angry.
In Boston this week, a former temporary employee of Dana-Farber pleaded not guilty to charges that she stole a patient's personal information, fraudulently opened a long-distance telephone account and ran up more than $2,000 in charges.
Steven Singer, the hospital's chief of communications, told Reuters Health that the hospital has reason to suspect that other patients may have been affected, and hospital officials are working closely with Boston police. The incident did not involve patients' medical records, he said.
Dana-Farber has hired a financial attorney to assist any patients whose credit records may have been marred by the incident. "No patient will be financially hurt by this," Singer said. The hospital also decided to immediately begin requiring background checks on all temporary workers.
But according to Joy Pritts, senior counsel for the Health Privacy Project at Georgetown University's Institute for Health Care Research and Policy, protective measures like that should have been in place all along. "People who are sick...don't need this at this time in their life," she said. "These are the most vulnerable people and they need to be protected."
Healthcare organizations need to conduct background checks to ensure
that employees who have access to patient information are trustworthy,
Pritts said. She added that there should be limited access "so that not
everyone can get access to peoples' names and sensitive medical information."