A study by the US Government Accountability Office shows that more than 40% of contractors handling public health insurance data have experienced privacy breaches. Unfortunately, the report is unclear about the severity: one misdirected fax is different from widespread information theft, but the report treats them equally. The report also considers the extent of offshore outsourcing and its impact on privacy.
GAO: Health care privacy breaches widespread:
But the frequency and severity of the breaches is unclear
September 06, 2006 (Computerworld) -- More than 40% of U.S. Medicare contractors and state Medicaid agencies have experienced a privacy breach involving personal health information -- although the frequency or severity of the breaches remains unclear, according to report released yesterday by the U.S. Government Accountability Office (download PDF).
The GAO reviewed the role of private contractors in administering three of the nation's major public health insurance programs -- Medicare, Medicaid and the U.S. Department of Defense's Tricare program. Those agencies have medical data on more than 100 million Americans, according to the GAO.
According to the study, 47% of Medicare Advantage contractors reported privacy breaches within the past two years, as did 44% of Medicaid agencies, 42% of Medicare FFS (fee for service) contractors and 38% of the contractors for the Tricare program.
The report noted that more than 90% of Medicare contractors and state Medicaid agencies -- and 63% of Tricare contractors -- reported some level of domestic outsourcing in 2005, involving anywhere from three to 20 U.S. vendors.
In addition, some federal contractors and state Medicaid agencies knew that those domestic vendors had sent some of the work offshore, the GAO said. Thirty-three Medicare Advantage contractors, two Medicare FFS contractors and one Medicaid agency indicated that their domestic vendors transferred personal health information of U.S. citizens offshore. They did not, however, offer data about the scope of the information transferred overseas.
"Moreover, the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to other locations or vendors," the GAO said....