Friday, September 9, 2011

Stanford Medical Records Posted Online

The New York Times reported today that a spreadsheet with the names, diagnosis codes, admission and discharge dates, and billing charges for 20,000 patients seen at the Stanford emergency room during a six-month period in 2009 had been posted online for almost a year before it was detected!

The spread sheet had been posted on September 9, 2010, to a website called Student of Fortune a site where students can buy help with their homework. (More about it below.) It stayed posted until August 22, 2011, when a patient discovered it and reported the breach to Stanford.

The spreadsheet came from Multi-Specialty Collection Services, a vendor to Stanford, hired to do payment and billing analysis. It was posted as part of a response to a student asking about how to convert data to bar graph form. The identity and motives of the person who posted the spread sheet is unknown.

A spokesman for Stanford correctly stated that "there is no employee from Stanford Hospital who has done anything impermissible." This is true. But that's the problem!

As health care becomes more complex and more digital, information can easily be moved around. Hospitals, medical groups, health plans, and others, use vendors with specialized skills. Sophisticated analysis of population data is crucial for improving quality and constraining costs. But it creates vulnerability to data breaches, as happened at Stanford.

The article mentions other prominent institutions that have experienced major breaches. Apart from hacking incidents and erroneously addressed faxes and emails, an employee at the Lucile Packard Children's hospital stole a computer with the records of 532 patients. And an employee of the Massachusetts General Hospital left paper records on the subway while commuting to work.

Bryan Cline, a spokesperson for the Health Information Trust Alliance, a nonprofit devoted to "the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges," said that 20 percent of breaches involve contractors. Cline noted that providers depend on legal contracts with vendors to protect privacy, but as the Stanford case shows, contracts aren't guarantees!

The more interconnected we are, the more our own integrity depends on the integrity of those we're connected to. I practiced for more than 30 years with a large medical group. When patients described bad behavior of clinical colleagues, administrators, or support staff, I apologized. Typically my patients said "you didn't have anything to do with it." I replied with some version of "but we served you poorly, and I'm very sorry about that."

Interconnection creates great opportunities and great risks. Lapses of the kind that occurred at Stanford undermine public trust and could lead to crippling restrictions on the use of digital data. This would be a public health tragedy.

To my reading, Student of Fortune, the homework-help website where the spreadsheet was posted, smacks of the corruption of the educational process. Educators report a vast increase in plagiarism and other forms of pseudo-student work and pseudo-learning. Here's how the enterprise describes how its "tutors," which includes the person who posted the spreadsheet, are paid:
1.Users post questions to our site, seeking help with an academic or technical subject. They offer a bounty for what they're willing to pay for a tutorial that teaches them how to solve their problem.

2.You find their question by searching or browsing for questions, or by opting-in to email alerts in your areas of expertise.

3.Write up a great tutorial for their question on Student of Fortune along with how much you'd like to get paid for it. We'll pick a random 20% of your tutorial as a preview and post it for everyone to see. Don't worry... you'll a say in what 20% we're sending, and we never send the end of your tutorial (where we expect you'll put the conclusion).

4.When the other user buys your solution, we'll send you the tutorial (less 18% to cover the bare-minimum cost of processing your transaction).

5.We keep your tutorial around forever, so if it's a commonly-asked question, you could be making money off it for a long time to come! Some of our users have made over $1,000 off of a single tutorial! In these cases, we'll take 40% to help cover the cost of advertising your tutorial.
When I search online under "organizational ethics," in addition to links to this blog I find many advertisements for essays business students taking courses on the topic can purchase.

How's that for an ethics lesson to our budding organizational leaders!


Ganiyu said...

It is against all moral ethics to post patients medical record.

Jim Sabin said...

Hi Ganiyu -

You can say that again!

The ethical commitment to protecting privacy extends to ensuring by all those we deal with - like the firm Stanford contracted with - apply the same values. It's a lot easier to ensure our own fidelity to those values than to ensure that our partners no the same.