It’s 2:45. Do you know where your medical records are?
A week or so ago, I filled in endless new-patient paperwork. When I handed the clipboard and forms back, I noticed that other patients’ forms were spread across the counter, easy for anyone to read.
I asked about their process to assure the safety of my information. The response: “Don’t worry. In about 5 minutes it will be entered into our system so that it will be safe.”
I didn’t feel like arguing, or even pointing out the stupidity of that response. Entering data into a system has very little, in fact, nothing, to do with protecting it.
Take recent announcement of the “safety” of PHI at Holland Eye Surgery and Laser Center. Located in Holland, MI, the center discovered that a hacker began accessing their electronic records in 2016 and that over time, more than 42,000 patients’ PHI was exposed.
How did Holland Eye ferret out the the breach?
On its own? No.
By using a red team including cyber security experts? No.
It was the hacker who contacted the clinic to announce the breach. But the question of when that contact occurred is an even better part of the story.
The hacker, called, with obvious dark humor, “Lifelock,” says it was on more than 30 occasions over a two year period, during which time he sold patient information on the dark web, apparently to put pressure on Holland Eye to pay a $10,000 “security fee” to help secure its patients’ data.
The practice says it was on March 19, 2018. They gave notice to the U.S. Dept. of Health & Human Services’ Office of Civil Rights on May 18, 2018.
Considering that the law requires notification of a breach within 60 days, I wonder who’s telling the truth?
Comment or contact me if you’d like to discuss this post.
Mark F. Weiss