An egregious breach of medical records security by a Seattle-based company has caught the attention of federal regulators. Now Providence Health & Services is paying the consequences of violating the Health Insurance Portability and Accountability Act (HIPAA) with a $100,000 fine after backup data containing patient information was lost or stolen, according to a report by the Seattle Post-Intelligencer.
The home and community healthcare company has promised to improve its policy on transporting data, train employees, and make security reports to federal officials for three years. But the worse may be yet to come from patients worried about becoming victims of identity theft.
Providence is not the only health care provider in recent months to violate HIPAA regulations. Billing records for more than 2 million patients at the University of Utah Hospitals and Clinics were stolen from a courier’s vehicle (“Medical Records of 2.2 Million Stolen in Utah,” June 11).
But federal authorities say that Providence — a not-for-profit health care system with hospitals, home and community services in five states — has had multiple security lapses, and the lapses were over a longer period of time. According the Post-Intelligencer report, backup tapes, disks and laptops with electronic patient information were not properly secured several times during a seven month period.
One security breach resulted in the medical records theft of more than 365,000 patients, as well as data on doctors, including their Medicare and Medicaid numbers, state license numbers, names, addresses and phone numbers.
Industry and security experts say medical records provide a jackpot of information for thieves. Not only can they use medical records to obtain credit cards and merchandise in victims’ names, thieves also can use the records to get treatment in a patient’s name and file false insurance claims.
In addition to the financial chaos victims of medical record theft may suffer, they potentially could receive improper medical treatment because of falsified records or become uninsurable.