CASE STUDY #1
Kaiser Permanente announced this week that a laptop computer containing names, membership identification numbers, dates of birth, gender, and physician information on 38,000 Kaiser Permanente members was stolen in the Denver area in early October from a car belonging to a Kaiser Permanente employee in California. (Laptop with patient info stolen, Rocky Mountain News, November 29, 2006)
CASE STUDY #2
Richard Yaw Adjei of Bear, Delaware pleaded guilty in federal court on November 16 to aggravated identity theft and three counts of fraud for his part in a widespread criminal scheme that used information from a hospital billing service to steal the identities of more than 400 people. U.S. Attorney Colm F. Connolly also announced the indictment of accomplice Linda Danyell Williams, a claims processor at a New Castle medical billing and collection firm, alleged to have sold Adjei information about more than 400 patients for an undisclosed sum. Adjei in turn set up a tax return business and used the stolen information, including names, birth dates, addresses, Social Security numbers, hospital admission dates, doctors’ names, and diagnosis codes, to submit bogus tax returns and receive refunds totalling more than $300,000 in the names of at least 163 of the victims. (O’Sullivan, S., ID theft scam used medical billing info, Delaware News Journal, November 18, 2006)
CASE STUDY #3
“Security weaknesses have left millions of elderly, disabled and poor Americans vulnerable to unauthorized disclosure of their medical and personal records, federal investigators said Tuesday. The Government Accountability Office said it discovered 47 weaknesses in the computer system used by the Centers for Medicare and Medicaid Services to send and receive bills and to communicate with health care providers. The agency oversees health care programs that benefit one in every four Americans. Its massive amount of data is transmitted through a computer network that is privately owned and operated. However, CMS did not always ensure that its contractor followed the agency’s security policies and standards, according to the GAO report. “As a result, sensitive, personally identifiable medical data traversing this network are vulnerable to unauthorized disclosure,” the federal investigators said. The network handling Medicare claims transmits extremely personal information, such as a patient’s diagnosis, the types of drugs the patient takes, plus the type of treatment facility they visited, including treatment centers for substance abuse or mental illness. (Freking, K., Auditors: health records at risk, Associated Press, October 3, 2006)
CASE STUDY #4
“Providence Health Systems agreed to reimburse the state of Oregon more than $95,000 in costs as part of a deal to settle a nine-month investigation into the largest data breach ever reported in Oregon. Medical records of 365,000 patients, stored on computer disks and digital tape, were in a car stolen from a Providence home services employee. The data was not encrypted. The theft revived efforts to enact stronger privacy protections in Oregon and spurred some patients to back a class-action lawsuit seeking damages from Providence. (Rojas-Burke, J., Providence settles data breach, The Oregonian, September 27, 2006)
CASE STUDY #5
“New York City’s public hospital system will suspend 39 employees without pay for peeking at the private medical records of Nixzmary Brown. The case of the 7-year-old girl, who died in Brooklyn in January from beatings and torture, become a tabloid and TV news sensation, and dozens of workers at the Woodfull Medical and Mental Health Center apparently couldn’t resist looking at the child’s computerized medical file. The suspensions will last from 30 to 60 days, and each of the sanctioned employees will be required to undergo training in patient privacy rules before they return to work. (Caruso, D., Prying N.Y. hospital workers suspended, Washington Post, September 25, 2006)
Answer the following questions:
1. What would you legally change to avoid/prevent this scenario from happening in the future?
2. Were there any the downstream impacts of confidentially and data integrity issues in your example?
3. What are the ethical considerations, if any in your case study?