The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

Privacy Calendar

Links

RSS FEED for this site

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, January 05, 2006

Info theft and ID fraud by HMO employees

James Walker over at HIPAA Blog reports on another incident of information theft and misuse in the US healthcare context:

HIPAA Blog
Another Case of Indentity Theft: This time it's at Kaiser Permanente's South Bay Medical Center near LA. Contract employees copying medical records from the ER and surgery departments used their access to patient names, social security numbers, addresses, and other personal information to establish credit accounts in the patients' names and use the accounts to acquire high-end kitchen supplies. The two employees were caught red-handed and admitted their crimes, apparently. Four patients are known to be victims, but Kaiser sent letters to 25,000 patients who might be at risk.
This incident reinforces a few key items about HIPAA crime. First, it's not the "medical" information that is the big risk in intentional misuse of PHI, it's the financial information. There's not a big opportunity to make money off of information about someone's surgery, but there is a lot of money that can be improperly accessed with information about someone's social security number or bank accounts. Second, it's low-level employees that pose the greatest risk, particularly contract employees who might not be subject to as strict control as direct employees. Third, it's fairly easy for these people to be caught. Fourth, Kaiser points out that it is migrating to electronic medical records, which will eliminate the need for copying the records (and would eliminate these bad employees); of course, the other side of that coin is that these employees only had access to the records they made copies of, whereas if the information was part of an EMR, they might have had access to many more patient records.

His original post has a link to further coverage.

Labels: health information, information breaches