I just got done reading Lisa Vaas' coverage of another fumble in health data. This one hails from Canada where, according to Vaas' coverage in eWeek:
....on the evening of Nov. 20, a consultant employed by the Provincial Public Health Laboratory was contacted at his home office by an unidentified security researcher. The researcher told the consultant that he was in possession of patient information stored on the consultant's computer. That patient information includes names, MCP (Medical Care Plan) numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis...
I'm trying to imagine what it might be like to have just learned that you are HIV positive, perhaps looking to keep that information close to the vest, only to suddenly find out that the information was made public by way of some security snafu with one of the umpteen organizations/individuals that came into contact with your highly sensitive data. This episode which involved a consultant who, by possessing a PC that had all the data on it, was violating some policy. It is eerily reminiscent of the 26.5 million Veteran's Administration patient records (including those of 2.2 million troops on active duty) that fell into the wrong hands (temporarily, thankfully) by way of an analyst who had the records on his computer.
It was only last week that the UK was reeling from another similar health data snafu. On the very same day that officials learned of Canadian breach (November 20), the UK's HM Revenues and Customs agency was owning up to its loss of the "confidential details of 25 million child benefit recipients that had been stored on two computer disks."
The question these breaches bring to mind is the degree to which our confidential medical records can really be safeguarded. Given the number of people that have access to them, the path the data takes from one organization to another, etc. -- the idea that this information can be guarded as though our national security depends on it is a pipe dream. Although it hasn't happened yet, it will only be a matter of time before some huge quantity of confidential records is indelibly published to the Web in a way that cannot be taken back. These breaches will range from the inadvertent (honest mistakes) to the purposeful (eg: disgruntled employees) and don't be surprised if some cases involve blackmail, zombie computers, and members of organized crime that are beyond the reach of the local law.
As much as I hate the idea, I'm beginning to accept the fact that my health data may one day be a matter of public record. What about you?