Confidential patient information recently slipped into the wrong
hands in separate incidents involving one of the nation's largest managed-care providers and a renowned
Boston cancer center.
Kaiser Permanente, which serves 8 million members in 11 states and the District of Columbia, is current
studying how private data on 858 members ended up in e-mail messages sent to 19 individuals across the
Meanwhile, Dana-Farber Cancer Institute in Boston began notifying patients this week that personal
information, such as names and Social Security numbers, may have been stolen from the hospital's
computerized administrative records.
The incidents underscore the need for increased vigilance by providers and health plans, experts say. In
each case, tighter systems or security checks might have prevented potentially embarrassing or intrusive
breaches of personal information.
"Once somebody's confidentiality is violated, you can't undo it," Dr. Michael Rozen, vice president of
consumer affairs and director of health record security for WellMed Inc., told Reuters Health. Rozen is a
spokesman for Hi-Ethics, a coalition of Internet health sites and content providers dedicated to ensuring
the privacy of patient information.
The troubles experienced by Kaiser and Dana-Farber are policy and procedure problems, not technical
problems, Dr. Rozen asserted. He said that they illustrate the need for healthcare organizations to have
compliance officers or specialists to ensure that identifiable patient information is kept private.
Beverly Hayon, a spokeswoman for Oakland, California-based Kaiser, said that the August 2nd e-mail
snafu occurred amid a systems upgrade of the health plan's online member service. The e-mail messages
contained information involving mostly routine matters, such as requests for appointments and inquiries for
lab results, Hayon said. But they also contained personal information, including names, addresses,
medical record numbers, and, in some instances, sensitive information, she acknowledged.
Because of a "technical glitch" involving systems, programming and human error, the information was
inadvertently sent to 19 e-mail addresses around the country. The vast majority of those messages were
never read or were deleted immediately after being opened, Hayon said. "Nonetheless, we did accidentally
send people's confidential information and personal e-mails to someone else."
Kaiser has called all 858 members to apologize and explain what it is doing to correct the problem. Most
people have been very understanding, Hayon said, although some are not surprisingly very angry.
In Boston this week, a former temporary employee of Dana-Farber pleaded not guilty to charges that she
stole a patient's personal information, fraudulently opened a long-distance telephone account and ran up
more than $2,000 in charges.
Steven Singer, the hospital's chief of communications, believes the health system has reason to
suspect that other patients may have been affected, and hospital officials are working closely with Boston
police. The incident did not involve patients' medical records, he said.
Dana-Farber has hired a financial attorney to assist any patients whose credit records may have been
marred by the incident. "No patient will be financially hurt by this," Singer said. The hospital also decided
to immediately begin requiring background checks on all temporary workers.
But according to Joy Pritts, senior counsel for the Health Privacy Project at Georgetown University's
Institute for Health Care Research and Policy, protective measures like that should have been in place all
along. "People who are sick...don't need this at this time in their life," she said. "These are the most
vulnerable people and they need to be protected."
Healthcare organizations need to conduct background checks to ensure that employees who have access
to patient information are trustworthy, Pritts said. She added that there should be limited access "so that
not everyone can get access to peoples' names and sensitive medical information."