Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

As part of the settlement of a federal court action, the State of Texas has agreed to destroy more than 5 million blood samples taken from babies without parental consent and stored indefinitely for the purpose of scientific research.  The Texas Department of State Health Services announced earlier this week that it would destroy the samples in connection with the settlement of a federal lawsuit filed in March 2009 by the Texas Civil Rights Project on behalf of five parents of children whose blood was being held for use in research without their consent. 

The parents' complaint alleged that the state’s failure to ask parents for permission to store and possibly use the blood - originally collected lawfully in order to screen for birth defects - violated constitutional protections against unlawful search and seizure. The parents also expressed fears that their children’s private health data could be misused and that the disclosure of that data could lead to discrimination against them later in life.  Under the settlement, the blood samples collected without parental consent must be destroyed by early next year.  State authorities estimated that some 5.3 million samples would be destroyed as part of this process.  The State of Texas also is required to publish a list of all research projects that used the blood specimens.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident.  The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault.  The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.

The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.”  The court held that disclosure pursuant to a court order requiring production of records constituted such a disclosure.  The court also held that the sought-after records were likely to lead to admissible evidence regarding defendant’s knowledge of the alleged propensity for violence of the resident who had committed the assault and therefore ordered production of the records.  [Thanks to Foley Hoag's Eric Haskell for this entry.]

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Incident 1: UNC Data Breach Exposes Information On Over 100,000 Women Listed In Mammogram Registry

The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000.  Original reports estimated that more than 200,000 women were affected.  The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."

Evidently, the breach was discovered in July, but it may have occurred over two years ago.  According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server.  The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected.  To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.

Links:

• Ferreri, Eric, "Hacker breaks into research study data," Charlotte Observer, September 29, 2009.
• "UNC says hacker got into fewer files than reported," The News & Observer, October 1, 2009.

Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers

On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility.  A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources.  Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator's username and password, the prison's internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel.  He also used the computer to send email and download publicly-available photographs and videos.

A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf).  In the plea agreement (.pdf) recently reached with the U.S. Attorney's Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko's guilty plea to charges under the Computer Fraud and Abuse Act.  Janosko has agreed to accept an additional incarceration of 18 months for the hack.  Sentencing in the case is scheduled for December 15th.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

This week, the U.S. Attorney's Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital's computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.

McGraw had given his one week notice to hospital security contractor, United Protective Services, and was scheduled to depart on July 3, 2009.  His intrusion into hospital systems was allegedly made in preparation for a larger attack on July 4th, a day he referred to as "Devil's Day."  The story behind the arrest is laid out in the criminal complaint and supporting affidavit filed in federal court (.pdf); however, a number of other details have emerged over time that demonstrate how vulnerable many institutions may be to insiders.

• Email This
• Print
• Comments (5)
• Trackbacks
• Share Link

In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent article from Computerworld reports that, according to a new study conducted by researchers from MIT and the University of Virginia, "EMR [Electronic Medical Record] adoption is often slowest in states with strong regulations for safeguarding the privacy of medical records."   According to the study, in states with "strong privacy laws", the number of hospitals using EMR systems is up to 30% lower than in states with "less stringent privacy requirements."  The study, "which looked at EMR adoption in 19 states over a 10-year period", concludes that the reason for the disparity is that "privacy rules often made it harder and more expensice for hospitals to exchange and transfer patient information, thereby reducing the value of an EMR system."  According to the article, one of the study's authors, Catharine Tucker, stated that "[p]olicy-makers are going to have to choose how much EMR adoption they want and at what cost to patient privacy.

It is worth noting that the study's methodology has been subject to some criticism.  According to the article, Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, said that "the study was based on old data and didn't consider all of the factors that a health care organization would typically look at when deciding whether to adopt an EMR system."  Instead, according to McGraw, the study "looked at whether a state has a medical privacy law and then looked at EMR adoption in that state to draw its conclusions."  Deborah Peel, chair of the Patient Privacy Rights Foundation in Austin, Texas, also criticized the studies conclusions.

Links:

• April 14, 2009 Computerworld article by Jaikumar Vijayan: "Privacy rules hamper adoption of electronic medical records, study says"
• Link to page where the study, "Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records" can be downloaded (Note: you must pay to download the study)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I recently had the chance to sit down with M. Eric Johnson, Director of Tuck’s Glassmeyer/McNamee Center for Digital Strategies and Professor of Operations Management at the Tuck School of Business, Dartmouth College, to talk about his recent paper “Data Hemorrhages in the Health-Care Sector” (.pdf).   The results of Dr. Johnson’s study were startling.  For instance, his finding that a great deal of personal patient information is openly available on Peer-to-Peer (P2P) file sharing networks resulted in a great deal of media attention from publications dealing with privacy like SC Magazine, technology publications like Wired, and general interest publications like USA Today.  We are thrilled that Dr. Johnson agreed to do a full interview with Security, Privacy, and The Law.

Because the interview is long and covers a number of important topics of interest, we will post the interview in three parts.  The first installment of the interview follows below.  In this part of the interview, Dr. Johnson discusses how he came to be interested in information security, how he conducted his research, and his findings about just how much personal health information is available on P2P networks.
 

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

As outlined in April 2’s Boston Globe, a Massachusetts physician who lost his license to practice is still causing problems for his patients. He left his office and records, and now his patient records are about to be destroyed unless the patients come to claim them. The state authorities claim they don’t have the resources to maintain the records, or to help find the patients. The auction company just wants them gone. 

Normally, when a physician closes a practice, patient records are placed with another physician; if they are placed in storage, prepayment of storage fees or a bond is usually required. Wouldn’t it be interesting if there were some criminal charges under HIPAA in cases like this -- after all, HIPAA has fines of up to $250,000 and penalties up to 10 years in prison for disclosing or obtaining health information with the intent to transfer it for commercial advantage, personal gain or malicious harm?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It seems an inevitable consequence of modern celebrity: when you go to the hospital, hospital workers will look at your records (even though they have no medical reason to). The latest example of this involved the infamous mother of octuplets, Nadya Suleman. It resulted in the firing of 15 hospital workers at Kaiser Permanente’s hospital in Bellflower, California. All these violations have been reported by Kaiser to the California Department of Public Health. 

But this isn’t really news. The hospital records of other celebrities (like Britney Spears, Farrah Fawcett and Gianni Versace) also have been improperly accessed in recent years. The real issue raised by these events is: what lesson do we take away for compliance purposes to prevent it from happening in the future? The vigilant CIO sends these examples around to his/her staff to remind them of these pitfalls. And when you learn of celebrity in your midst, you should specifically warn staff not to pursue the records of individuals for matters that do not concern them on a professional basis; you might even consider special additional security precautions. There will always be more of these types of breaches, but it doesn’t have to happen at your company if you continually remind people about their obligations to maintain confidentiality. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” -- the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you -- then they probably do.  In this post, we will recap the FTC's recent guidance on who should be complying with the Rules.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

For all their problems, Veterans Affairs medical centers across the country are at the vanguard of the implementation of electronic health records. As such, there is a lot to learn from the problems that the VA system has experienced in this area. According to an article in the March 4, 2009 Journal of the American Medical Association, the problems experienced by the VA include mixed-up patient names and missing medication orders. These types of problems are probably endemic in any EHR system.  (This very point was made by Drs. Jerome Groopman and Pamela Hartzband in their March 12, 2009 Wall Street Journal op-ed.) Given these built-in weaknesses, frequent auditing of records, with strong and persistent audit trails, are a vital component to any EHR system.  Also, communications between all levels of workers in the care setting are important, to provide similar feedback.  The VA has adopted these mechanisms as part of its EHR systems. VA health care workers are encouraged to report problems with the electronic medical record systems, and those reports are closely monitored. Ironically, this may be why we hear so much about the VA’s issues – they are finding problems that others have in their data systems, but do not yet know about.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.

If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.

The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.

What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients' health information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link