Congress examines health data thefts

Minnesota cases of hospital privacy breaches sparked a hearing on the issue led by Sen. Al Franken.

By JEREMY HERB, Star Tribune

November 9, 2011 — 7:50pm

WASHINGTON - In the wake of high-profile health-care data breaches in Minnesota this year, Sen. Al Franken on Wednesday examined how sensitive data can be better protected as more of it moves to the "wild, wild West" of the Internet.

Thefts of laptops containing patient data from Fairview and North Memorial hospitals earlier this year were just a small slice of health data thefts in the United States. In a 15-month span, the Department of Health and Human Services (HHS) found that more than 50 laptops were stolen from hospitals, clinics and medical centers.

Kari Myrold, privacy officer at Hennepin County Medical Center, testified on Wednesday before the Senate subcommittee on technology, privacy and the law about how her hospital has been a pioneer in the use of electronic records while working to keep sensitive information safe.

No matter how strong the safeguards, Myrold said, there is always a risk. "I think every organization is a keystroke away from the same kind of thing [as Fairview]," she said after the hearing. "You do the best that you can."

In the Fairview case, the breach occurred after a consultant failed to encrypt patient data even though Fairview had said to do so, Myrold said.

Franken, the Minnesota Democrat who is chairman of the subcommittee, praised the use of electronic records to track patients after the Interstate 35W bridge collapse. Congress passed a law in 2009 to give doctors and hospitals financial incentives for digitizing records. But, Franken said, "The same wonderful technology that has revolutionized patient health records has also created very real and very serious privacy challenges."

Franken and data advocates complained that HHS had not put in place stiffened penalties and enforcement allowed under the legislation and said few cases have been prosecuted. "The wild, wild West for data is not an environment of trust," said Deven McGraw of the Center for Democracy and Technology.

Myrold said that when it comes to data encryption, many health companies "aren't taking it seriously. Until we actually get those final rules, knowing that they actually will be enforced, we probably will not see more compliance."

Sen. Tom Coburn, R-Okla., the subcommittee's ranking member, questioned whether switching to electronic records was worth it. He raised concerns about hackers finding a way to take sensitive records. "They gotta get into my office to get it when it's on a piece of paper," said Coburn, who is a physician.

Franken asked Leon Rodriguez, director of the Office for Civil Rights at HHS, when the enforcement rules would be finalized.

When Rodriguez was unable to offer a timetable, Franken said: "OK, well hurry up."

Jeremy Herb • 202-408-2723 Twitter: @StribHerb

StarTribune

Congress examines health data thefts

Kansas has a new anti-DEI law, but the governor has vetoed bills on abortion and even police dogs

Live video of man who set himself on fire outside court proves challenging for news organizations

Idaho group says it is exploring a ballot initiative for abortion rights and reproductive care

Guest lineups for the Sunday news shows

West Virginia will not face $465M COVID education funds clawback after feds OK waiver, governor says