Sadly, This Was Totally Predictable

In the wake of the tragic shootings in Tucson, Arizona on January 8, it was only natural that the public would have an intense interest in the medical progress of Rep. Gabrielle Giffords (as well as that of the others wounded in the attack), given the unusual and newsworthy situation evolving forward there, and now in Houston, as Congresswoman Giffords has been transferred to rehabilitative care there.

Sadly, on Jan. 12, University Medical Center in Tucson was compelled to fire three clinical support staff members and a contract nurse for “inappropriately accessing confidential medical records,” according to a statement the hospital put on its website on that date.

Here’s part of what was put on the hospital’s website, as reported by the Arizona Daily Star on Jan. 13: “The hospital has terminated three clinical support staff members this week for inappropriately accessing confidential electronic medical records, in accordance with UMC’s zero-tolerance policy on patient privacy violations.” In addition, a contract nurse was fired by that nurse’s employer. According to the Daily Star, hospital spokeswoman Katie Riley would not say how many patients were affected by the breach, but she did confirm to the newspaper that the breach had involved records of patients connected with the Jan. 8 shooting.

“Any potential breaches of patient privacy by UMC staff will be investigated and appropriately addressed,” the hospital’s statement continued. “With advances in technology, ensuring patient privacy has become the focus of hospitals nationwide. UMC uses sophisticated technology to help prevent and detect inappropriate access to patient information.”

The general public will probably never know all the details involved in this data breach or cluster of data breaches, but what is clear is that the current technological, societal, and media environment is rife with opportunities for individuals with bad intentions to attempt to do very wrong things in the medical records area. The challenge, as Bill Brenner of CSO Online commented in a Jan. 13 column, is that while “There’s plenty of identity and access management technology available to minimize these incidents… [I]n the end, if a reasonably smart person is burning with curiosity, they will find a way to break through the wall of privacy.”

That is a sobering reality, and one that hospitals nationwide are confronting these days. And though the care and well-being of every single patient is obviously important to every hospital organization, another reality is that any patient who is either an actual “celebrity” (as in the Hollywood type), or whose case is in the news, is particularly vulnerable to such bad intentions. I remember having a fascinating conversation nearly 10 years ago with a colleague and good friend who worked in media relations at a hospital that treated quite a lot of celebrities; that colleague-friend told me stories that were chilling regarding the extent to which tabloid “reporters” would go to learn “inside details” about a celebrity patient’s condition or treatment.

Inevitably, of course, healthcare IT leaders will always be trying to keep one step ahead of those who would breach the privacy and security of patients’ electronic health records. And this Tucson incident involves just a more high-profile version of a situation that takes place far too regularly in communities nationwide. Unfortunately, there’s no “magic bullet” for any of this; but for CIOs, CTOs, CMIOs, chief security and privacy officers, and other healthcare IT leaders, these kinds of incidents will continue to remind us how very much patients of all kinds—not just well-known or newsworthy ones—need the kinds of data privacy and security protection that our industry is tasked with providing—and constantly improving.