Privacy of Medical Records in the News

Published April 1, 2001

Last year a sophisticated Internet hacker took control of the University of Washington Medical Center’s network and downloaded the admissions records of 4,000 cardiology patients.

Among the thousands of pieces of private information he downloaded were names, birthdates, Social Security numbers, and descriptions of the medical procedures undergone by the patients.

The 25-year-old Dutch hacker, who calls himself “Kane,” described how the data were taken from the hospital computers by using the Internet. According to Kane, the data were completely exposed, without any firewalls of any kind. He described his foray into the hospital systems as a renegade public service designed to increase awareness about the poor security surrounding medical information.

Also last year:

  • A medical company employee stole patient information to fraudulently obtain phone service in Massachusetts.
  • An online pharmacy accidentally released customers’ names and credit card numbers.
  • Kaiser Permanente sent sensitive health-related information to the wrong people.
  • Health care companies dumped medical records, complete with Social Security numbers, in the trash.

A Self-Inflicted Threat?

According to Dave Kopel, director of The Heartland Institute’s Center on the Digital Economy and author of several publications addressing Internet issues, “these incidents demonstrate the danger of medical insurance companies forcing people to use Social Security Numbers as a universal identifier. While the insurance industry puts a lot of pressure on the medical industry to collect data in order to prevent fraud, it’s time for consumer advocates—and consumers themselves—to intensify the pressure on the medical industry to start treating confidential patient records with appropriate care.”

“Patients must resist the imposition of a national identification number on medical records,” said Twila Brase, RN, president of Citizens’ Council on Health Care. “They must throw a wrench in the enumeration process which jeopardizes not only their privacy, but their dignity. The patient is a person, not a number whose intimate data is up for grabs. The information in the medical record should be handled as though it were the patient himself.”

Merrill Matthews Jr., Ph.D., a visiting scholar with the Institute for Policy Innovation, agreed that patients should accept responsibility for protecting their privacy.

“To some extent,” noted Matthews, “the public has brought this problem on itself by wanting an insurer, employer, or the federal government to pay for all health care. When a third party pays, it knows what care a patient receives—and it has to keep those records somewhere.”

The intrusion into private medical records is creating a nation of worried patients—patients who defend themselves by lying to physicians or avoiding timely health care treatment.

According to a 1999 Princeton Associates Survey, over 15 percent of Americans try to protect their medical privacy in such self-defeating ways as to increase the chances for a medical error once the patient finally seeks medical care.

“The best way to guarantee that insurers don’t abuse patient medical information,” continued Matthews, “is to limit their involvement by paying for care out of pocket or through a Medical Savings Account.”