“The unshredded records,” continued the report, “included pathology reports with patients’ names, addresses, and results of breast, bone, and skin cancer tests, as well as the results of lab work following miscarriages.”
The records were discovered by a Globe photographer when he stopped by the dump to toss his trash. “When he got out of his car, he said, he saw a huge pile of paper about 20 feet wide by 20 feet long,” according to the newspaper.
Upon further inspection he found that the papers were “health and insurance records from at least four hospitals and their pathology groups … mostly dated 2009,” said the Globe, which also notified the hospitals of the find. “It is unclear,” said the paper, “how many other hospitals’ records might have been discarded in the dump.”
The culprit in the dumping of sensitive medical records appears to be the former owner of a medical billing company employed by pathologists for decades, who admitted that he had sent the records to the dump after selling the company. The new owner’s lawyer said that the new owner had taken only records from 2010; the rest were, apparently, dumped by the previous owner.
Disposing of medical records containing personal identifying information without making them unreadable, generally by shredding or incineration, is a violation of both state and federal law.
“The hospitals said they also plan to formally notify the Massachusetts attorney general’s office; preliminary information has already been passed along,” according to the Globe. “Based on that, the attorney general’s office said in a statement it is reviewing ‘whether there has been a data breach.’”
In addition, said the newspaper, the hospitals “are developing plans to notify the thousands of patients whose records may have been left at the dump.” Hospital officials, wrote the Globe, “believe the records dumped went back two or three years” and involved thousands of patients — everyone who had pathology testing during that time.
Those Bay Staters whose medical records may have been dumped are not the only Americans who ought to be concerned about this occurrence. Massachusetts, after all, is already operating under RomneyCare, the forerunner to ObamaCare, which now impacts us all. If this sort of thing can happen in a state with such a healthcare system, what could happen when that system goes national?
Of even greater concern is the fact that the 2009 economic stimulus law mandates that all Americans’ medical records be stored electronically and then made available to all healthcare providers and the federal government, making such privacy breaches much more likely.
The Globe commented on the Massachusetts record dump:
The episode highlights in dramatic fashion how hard it can be for hospitals to safeguard patient information, given the large number of doctors, insurance companies, medical billing firms, and contractors who have access to personal data in the normal course of business....
“This is a perfect example of how complicated the security of confidential information is,” said Clark Fenn, vice president for quality improvement, risk management, and corporate compliance at Holyoke Medical Center. “There are many hands that touch things. All it takes is one slip in that process for information to be released.”
Now imagine how many hands will be able to touch each person’s medical records when they are stored in a centralized electronic database. All it takes is one careless mistake, such as sending data over an unsecure connection or in unencrypted form, or one person with a vendetta for someone’s electronic medical records to become public knowledge. Once electronic data has become public, it is nearly impossible to make it private again. The more centralized the data and the more widespread its use and availability, the more easily and frequently such data breaches can occur.
Massachusetts once warned all Americans that the British were coming to invade their privacy by, for example, quartering soldiers in their homes. Perhaps today it can serve as a warning of the dangers of putting Americans’ medical records into a Washington-mandated electronic database with the potential for banishing medical privacy once and for all.