Skip to content Skip to navigation

Tiger Woods Data Breach?

December 8, 2009
by David Raths
| Reprints

I was catching up on the news this morning, scanning the Huffington Post web site, when I came across a headline that troubled me: “Tiger Woods Overdose? OD Listed on Hospital Chart.”

The story quotes the celebrity gossip web site TMZ as reporting that Tiger Woods was admitted to Health Central Hospital the day after Thanksgiving as an overdose.

“Sources connected with the hospital tell TMZ the admissions chart lists "OD" and that he was having trouble breathing,” it continued.

For now let’s leave aside the question of whether it is appropriate for news publications to be serving up all this titillating gossip about famous people’s private lives. I am more concerned that this type of report continues to feed the general public’s suspicion that once their health records are electronic, many more people will have access to them, increasing the likelihood that someone will look at them for reasons other than direct patient care. Under new accounting of disclosure rules, even explaining to people why 75 hospital employees had legitimate reasons to access their chart may be difficult.

I have been interviewing CIOs about the new data breach regulations going into effect as part of the HITECH Act.

Many CIOs are nervous about whether the audit log systems they have in place are sophisticated enough to proactively sense when records are being accessed inappropriately – for instance, by staffers who have no clinical or business reason for looking at them. The question is, other than more training, what do you do about staffers who do have good reason to look at records and then go blab to tabloids about what they have seen?

Some CIOs and chief security officers may be skeptical that the new data breach rules will be enforced any more heavily than HIPAA has been. Many have seen HIPAA enforcement as a joke. But if enforcement is ramped up, it could be painfully expensive for many hospitals both in real-dollar terms and in a public relations sense. As one CIO told me, “It’s pretty hard to argue with $1.5 million in fines. That makes the cost of a risk assessment look pretty reasonable.”

Topics

Comments

Marc makes a good point that we could probably come up with examples of patient records leaked to the press from 100 years ago. But cases like the "Octomom" example suggest the electronic records make it easier for MORE employees to look at records. In that case, employees of the organization located at other clinics and hospitals were calling up the record to look at it! It feeds consumer distrust, and will make it harder for HIEs to get them to "opt in" to record sharing.

David - I strongly agree that incidents have a very negative impact on the public's ability to trust an electronic record system. I think this is a case where "the celebrity treatment" is definitely a negative thing their health records have become fair game, and each time a record from Tiger Woods or Britney Spears is leaked (against all rules and ethics, mind you), the public gets a little more skeptical about whether their own records will be safe.

And you bring up a very interesting point about when staffers do access a patient record legally, but then leak the info. How on earth can CIOs and other execs defend against this? This is a very, very tricky issue that could really throw a wrench into things.

I was recently talking to a Chief Privacy Officer for a large insurance provider and she was remarking how they fire people nearly every quarter for inappropriately accessing patient records. What I found most interesting was what the violators said during the investigation and HR exit process. Namely, they almost all said that they were aware of the data breach rules and that the consequences for inappropriately accessing a record were termination. When asked, why they accessed the records, if they knew that they could be fired, the most common response was that they were just "too curious" and "couldn't help themselves". The second most common response was that "sure other people have gotten fired, but surely I won't get fired."

No amount of education will keep curiosity (and ignorance) from killing the cat!

I think that another fundamental misperception at play is that "your computer" at work is "your computer". In fact, not only is that computer NOT yours, but everything you do, see, access, initiate and download belongs 100% to your employer. There is NO reasonable expectation of privacy when using a corporate network.

All this being said, patient records have been being leaked to the press since long before the days of the electronic record. The issue of individuals who have justifiable access leaking information is as old as yellowsheets and human vanity.

David Raths

Contributing Editor

David Raths

@DavidRaths

www.linkedin.com/in/davidraths

David Raths’ blog focuses on health IT policy issues ranging from patient privacy to health...