Thursday, January 05, 2006

Info theft and ID fraud by HMO employees

James Walker over at HIPAA Blog reports on another incident of information theft and misuse in the US healthcare context:

Another Case of Indentity Theft: This time it's at Kaiser Permanente's South Bay Medical Center near LA. Contract employees copying medical records from the ER and surgery departments used their access to patient names, social security numbers, addresses, and other personal information to establish credit accounts in the patients' names and use the accounts to acquire high-end kitchen supplies. The two employees were caught red-handed and admitted their crimes, apparently. Four patients are known to be victims, but Kaiser sent letters to 25,000 patients who might be at risk.

This incident reinforces a few key items about HIPAA crime. First, it's not the "medical" information that is the big risk in intentional misuse of PHI, it's the financial information. There's not a big opportunity to make money off of information about someone's surgery, but there is a lot of money that can be improperly accessed with information about someone's social security number or bank accounts. Second, it's low-level employees that pose the greatest risk, particularly contract employees who might not be subject to as strict control as direct employees. Third, it's fairly easy for these people to be caught. Fourth, Kaiser points out that it is migrating to electronic medical records, which will eliminate the need for copying the records (and would eliminate these bad employees); of course, the other side of that coin is that these employees only had access to the records they made copies of, whereas if the information was part of an EMR, they might have had access to many more patient records.

His original post has a link to further coverage.

No comments: