Georgia's Largest Healthcare Provider Loses Data on 315 000 Past Patients

Lost backup disks include 228 000 Social Security numbers and other personal information

2 min read
Georgia's Largest Healthcare Provider Loses Data on 315 000 Past Patients

The Atlanta Constitution and others reported yesterday that Emory Healthcare, the largest healthcare provider in the state of Georgia, was unable to locate 10 back-up computer discs containing Social Security numbers, names, addresses, dates of birth, and clinical and other information on approximately 315 000 former surgical patients covering the period from September 1990 to April 2007. Some 228 000 of the missing patient records included Social Security numbers.  

The Emory website announcement concerning the loss stated that the discs, which were to a software system that was deactivated in 2007, went missing between the 7th and 12th of February of this year. After searching “extensively” for the discs apparently for nearly two months, Emory said they still couldn’t be located. Emory emphasized in its announcement that it was “important to note that this incident was not a breach or ‘hacking’ of our computer systems,” but conspicuously didn’t rule out deliberate theft.

Emory also announced that so far, “There is no indication that this information has been or will be misused.” I find that last phrase “will be misused” more of a hope than a statement of fact. Emory is still smarting from an incident last year where a small number of Emory patient records had been stolen and then used to file fraudulent tax returns in hopes of getting refunds.

Another Atlanta Constitutionstory late yesterday reported that the information on the discs was not encrypted, and that they were not stored “according to protocol.” The story stated that the discs were kept in an unlocked file cabinet in a room that had restricted access but wasn’t always locked. An Emory spokesperson explained that the discs weren’t encrypted because they were to an outdated system; he also said the organization believed the information on the discs would likely be difficult to access.

Emory says that it will change how it handles patient information (presumably encrypting all patient-related data), as well as offering a year of free credit monitoring service to those affected. Emory also apologized profusely for the incident.

However, the provider is still likely to face stiff fines from the U.S Department of Health and Human Services (DHHS) for the loss, accidental or not. As you may recall, a few years ago, I blogged about a theft of 57 hard drives from a BlueCross BlueShield of Tennessee storage facility containing the unencrypted records of nearly one million of its members. Even though BlueCross BlueShield spent over US $17 million in its investigation and later data encryption efforts, and even though there has not yet been any evidence that the information stolen has been misused, DHHS fined the insurer $1.5 million last month for Health Insurance Portability and Accountability Act (HIPAA) violations related to the theft.

Photo: iStockphoto

The Conversation (0)

Why Functional Programming Should Be the Future of Software Development

It’s hard to learn, but your code will produce fewer nasty surprises

11 min read
A plate of spaghetti made from code
Shira Inbar

You’d expectthe longest and most costly phase in the lifecycle of a software product to be the initial development of the system, when all those great features are first imagined and then created. In fact, the hardest part comes later, during the maintenance phase. That’s when programmers pay the price for the shortcuts they took during development.

So why did they take shortcuts? Maybe they didn’t realize that they were cutting any corners. Only when their code was deployed and exercised by a lot of users did its hidden flaws come to light. And maybe the developers were rushed. Time-to-market pressures would almost guarantee that their software will contain more bugs than it would otherwise.

Keep Reading ↓Show less