The theft of a laptop computer filled with thousands of patient records has triggered a federal investigation of Fairview and North Memorial hospitals, earning them both a place on a government website known as the "Wall of Shame.''
Fallout from the theft, which was disclosed late last month, could lead to hefty fines or other penalties.
Government records show the Twin Cities hospitals are only the latest in a growing number of medical centers that have found themselves on the wrong side of a federal law designed to assure the privacy of patient medical records.
In a recent 15-month period, 50 laptops containing patient data were stolen from hospitals, clinics and other medical centers around the country, according to the U.S. Department of Health & Human Services, which investigates all major breaches. As a result, millions of patients have been exposed to potential identity theft or other misuse of their most personal information.
Experts say there's no end in sight.
"It's the nature of our world today, so much of the information that we have is traveling around in electronic form,'' said Michael Scandrett, a lawyer and health policy expert in Minneapolis.
In Minnesota, two other laptop thefts in the past year have affected several thousand patients, one at an Edina foot clinic and one at the Mankato Clinic.
Scandrett said the problem stems in part from growing pressure on hospitals and clinics to use the data contained in electronic medical records to improve care and control costs.
In some cases they hire outside consultants to assist in the task -- a step that can bring them specialized expertise but also expands the number of people with access to confidential information. That's what led to the breach at Fairview and North Memorial.
Laptop lost in car break-in
On the night of July 28, according to police reports, a consultant named Matthew Doyle, who worked for Accretive Health Inc., left a Dell laptop in the back seat of a rental car parked in the Seven Corners bar and restaurant district in Minneapolis. When he returned after 10 p.m., the back window was smashed and the computer was missing.
The laptop contained information on 14,000 Fairview patients and 2,800 North Memorial patients, potentially exposing them to identity theft or other harm.
Greg Kazarian, Accretive's senior vice president, said Doyle is a data analyst with no clinical background in health care. He was using the patient data for revenue collection and analysis of Fairview's costs and quality, Kazarian said.
In this case, Kazarian said, the company's security chain broke down when the laptop was loaded in-house without encryption.
Although there is no sign that patients have been harmed, the incident has shed new light on the consultants who help hospitals and clinics. Accretive is a Chicago-based company that specializes in boosting revenue for hospitals, including a debt-collection arm and a fledgling service to help control cost of care.
Federal court records show that Accretive has been sued 10 times in the past year by patients who alleged unfair collection practices. Four of those suits, including at least two by Fairview patients, were filed in federal court in Minnesota.
Fairview said data on the stolen laptop was used by Accretive for quality-control work and more traditional revenue collection, such as tracking down insurance payments, not for debt collection directly from patients.
Trust, but verify
Lois Dahl, Fairview's information privacy director, said the mistake has taught the hospital to verify, not just trust, that its contractors are living up to privacy obligations.
Fairview also is considering dropping Social Security numbers from records shared with outside business partners, Dahl said. The hospital also wants to tighten practices to ensure it is not giving vendors more patient information than necessary, she said.
"This is very regrettable and many patients could be very unhappy,'' Dahl said. "We are taking this very seriously.''
North Memorial said it did not provide Social Security numbers to Accretive and that the lost data included only "limited clinical information.''
North Memorial said it hired Accretive to improve the flow of money owed to the hospital, and that the data was "highly secure'' until Accretive loaded it onto an unencrypted laptop.
While continuing to work with Accretive, the hospital said in a written statement, "we will be meeting in the near future to evaluate all phases or our relationship.''
For its part, Accretive has started daily audits to ensure encryption on all devices carrying patient information, Kazarian said. The company also has "reaffirmed" rules for keeping laptops secure, he said.
Large privacy breaches are inevitable in a digital landscape as large as health care, according to Harley Geiger, a lawyer at the Center for Democracy and Technology in Washington, D.C. But he said the government should play a stronger role in preventing and punishing breaches. Intensive training by employers also would help, he said.
Geiger described the Accretive case as a "failure of diligence" -- and more evidence that the issue isn't being taken seriously enough.
"This was not the result of some sophisticated attack,'' Geiger said.
At health institutions around the country, an average of three laptops with unsecured patient records are stolen every month. In a recent report to Congress, the HHS Office for Civil Rights listed 50 laptop thefts among 252 "large breach'' incidents from September 2009 to Dec. 31, 2010. Each large incident must be posted on an HHS Web page known as the "Wall of Shame'' under a 2009 law that expanded penalties for privacy lapses.
Not all breaches bring fines
Under the federal privacy law known as HIPAA, hospitals are allowed to share patient data with a wide range of business associates, but they must ensure that the data is protected. If the shared information is not properly safeguarded, regulators may take enforcement action, said Susan McAndrew, an HHS official.
McAndrew said all breaches involving more than 500 patient records are investigated, but there's no across-the-board definition of what constitutes lax security. "What might be appropriate for a single-doctor practice might not be the same set of safeguards appropriate in a large hospital setting,'' she said.
Earlier this year, for example, Massachusetts General Hospital in Boston agreed to pay $1 million to settle a case in which a hospital employee accidentally left documents on a subway train. The papers contained private medical information on 192 infectious disease patients, including some with AIDS/HIV.
A Seattle-based company, Providence Health & Services, paid a $100,000 fine after federal investigators found that inadequate security was to blame for the loss of patient data on tapes, optical discs and laptops in 2005 and 2006.
Not every breach of records, however, results in penalties. Last April, when Fairview reported that employees lost a box of patient records during an office move, no fine was imposed.
Dahl said hospitals are judged in part on how they handle the incidents once discovered. In both cases, Fairview notified affected patients and offered them identity-theft protection services. North Memorial has done the same.
Scandrett admits that these incident "scare the hell out of us consultants."
With millions of patient records on computer databases, he says, "these things are going to happen from time to time."
Yet almost no area of health care is more heavily regulated, he said, with layers of rules about protecting patient data. "I don't know how much more you really can do and not shut down the system," he said.