Personal, something that belongs to me and nobody else; something that concern’s my private life. Healthcare is personal, it’s private.
A news release from the Veterans Health Administration revealed a “potential disclosure of limited information that may have been sent to another VA patient.” This occurred Nov. 9 but was not discovered until Nov. 14, and not corrected until Nov. 16. The VA stated, thankfully, “no social security numbers or other identifying information were divulged in the mix-up.”
The words “potential” and “may” in the opening remarks make it seem as though this incident was not a big deal. Appointment reminders for 2,380 veterans were sent to the wrong patients “due to a misalignment, or improper match,” in other words, a printing error caused patients “who receive health care at the Wilmington, Altoona, Coatesville, Erie, or Pittsburgh medical centers” to receive information about somebody else.
But think about this for a moment. What do appointment reminders include? Perhaps the doctor’s name and specialty, which clinic to arrive at, and what to bring or expect from the appointment. Some of this is quite telling information, and personal. Nobody needs to know that an appointment with psych or oncology or some other confidential matter is scheduled for you, do they?
Before the VHA breach, notifications were sent, last November, concerning another data breach that happened in our region. This one was at the Warren General Hospital. It affected the “confidentiality of information related to certain current and former WGH patients and/or current and former WGH employees.” The press release stated that the types of information the “unknown actor accessed,” included “name, address, date of birth, Social Security number, financial account information, payment card information, health insurance claims information, and medical information including diagnosis, medications, lab results, and other treatment information.”
Are you kidding me?
How many people do you think were affected by this one data breach that occurred in September but was not announced until November? The Office for Civil Rights provides a list of data breaches that impact at least 500 individuals and where they are in the investigation. For the WGH breach, 168,921 individuals were affected. And the remedy, or WGH is doing about it? Oh, they “take this event and the security of personal information in our care very seriously.” As standard practice in something like this, those affected are entitled to place an initial or extended fraud alert on their credit file at no cost, as well as check all three credit bureaus with a free credit report annually.
Do you know what kind of hoops one has to jump through to place a freeze on their credit report due to fraud? You must provide each bureau with the following: your full name, Social Security number, date of birth, addresses for the prior two the five years, proof of current address with a current utility or telephone bill, a legible copy of your government-issued identification, and a copy of the police report, investigative report or a complaint to law enforcement that you were a victim of identity theft. Really? The system failed, but you have to prove that you were the victim so that you can freeze your credit.
There are so many more data breaches than many of us realize. I filtered the federal record to include all healthcare related breaches in 2023 for Pennsylvania only. As of the end of December, OCR is still investigating 30 cases involving unsecured protected health information. Nine other cases are listed as resolved — if you can consider the matter resolved. Resolved by their definition means that there was notification made, staff and others received additional training, but more should be done for the private information these organizations are losing.
Individuals affected in the resolved caseload total 272,728.
Of the unresolved cases, more than 2.52 million individuals have been affected by a breach located on a network server, via email, or other unauthorized access point. Submitted and resolved cases for 2023 in Pennsylvania were located in the same areas and caused by unauthorized access or disclosure or a hacking or other information technology incident, per the OCR reports.
(Contact Mandy Colosimo at era.mandy.c@gmail.com)
