Stanford Hospital and Clinics is the latest to report a massive breach of privacy, in which private medical information for 20,000 people was posted online and publicly available for over a year, as reported by the New York Times.
It’s worth thinking about the role of privacy, and privacy law, in terms of civil rights and the protections we can expect in regards to medical data, as well as the layered nature of the legal rules and institutions currently in place to ensure these protections.
The Health Information Technology for Economic and Clinical Health (HITECH) Act (Public Law 111-5, section 13402) was part of 2009’s federal stimulus package. The HITECH Act requires entities covered under HIPAA to report breaches of medical data privacy. “Large breaches” are those which affect over 500 individuals; “small breaches” affect fewer than 500 individuals. The Office of Civil Rights (OCR) in the US Department of Health and Human Services (HHS) maintains records on reported breaches.
According to OCR, in 2009 more than 2.4 million individuals and in 2010 more than 5.4 million individuals were affected by losses of unsecured protected health information, “as a result of theft, error, or failure to take adequate care of protected health information.” These records reveal the “large” breaches. Since 2009, information on additional smaller breaches has also been recorded and reported to Congress by HHS. This information shows that, cumulatively for 2009 and 2010, there have been over 30,000 of these smaller breaches, affecting over 72,000 individuals.
In the case of the Stanford Hospital and Clinics, the unsecured information was held by an external vendor, a billing contractor named Multi-Specialty Collection Services. As the New York Times reports, the data, in “a detailed spreadsheet” “made its way” from the vendor “to a Web site called Student of Fortune” where it remained online for over a year.
The scope of breaches (and their causes) over a two year period, and the nature of the relationships between protected entities, contract vendors, and individual and the health records illustrate the extent to which our lives are potentially likely to become an open book, with serious consequences. The problem is multidimensional, ranging from data mining and the linkages that can be established between particular bits of data or trails of information, to inferences drawn from and discrimination based on such linkages, to the deflections practiced by government and big business (see, for example, Nothing to Hide, by Daniel Solove, and David Pozen on “mosaic theory”). The implications for our digital selves and our digital reputations are clear.
Privacy protections, in line with concomitant expansions of the security (or surveillance) state, have been in decline since at least the middle of the twentieth century. At the same time, scandals have resulted in an increase in privacy and security rules, enforcement regimes, and limits on use of information. This dialectic resides in a more recent and developing tension resulting from a sort of “critical mass” of government and business surveillance, as well as more active executives that have emerged out of events like September 11 (2001) in the US and July 7 (2005) in the UK.
Health record data losses due to theft, error, or failures of organization policy and security protocols may seem at a glance to be distant from government intrusions, and minor compared with the rhetoric of global terror threats. However, coupled with issues including inadequate vetting of contract relations, corporate misfeasance, and the relatively easily accessible information held by data brokers (such as Acxiom, for example), there seems to me to be obvious implications for larger scale intrusions and violations built up from the mosaic of data bits available in our sociotechnical universes, and the connections that may drawn between them.