Yesterday I received a letter from Emory Healthcare notifying me that there had been a security breach affecting patients’ electronuc medical records and that I was one of the people affected. Two years ago after defamatory statements had been written in my record I had asked them to restrict access to those who were involved in the situation and the corporation flatly refused. Since then I have suffered provable damages as a result of their wanton and willful disregard of my rights to privacy, and now my records have been further spread to those who should not have them. Below is a copy of the letter I received from Emory Healthcare;
On the back the letter goes on to list things patients can do to help protect themselves from identity theft (the standard BS that really doesn’t prevent anything, only alerts you if there is identity theft), and although the corporation claims that they will “enhance” security measures “care team education programs to help prevent something like this from happening in the future” a simple Google search will reveal that they have sung this song before and still didn’t take the necessary steps to protect patient confidentiality.
Emory is on an HHS list of the facilities with the highest number of records breaches in the country.
One needs to ask the question why staff training on this is even necessary when the obvious solution is not to allow everyone in this system access in the first place! Two Alabama-based law firms have already filed Class Action suits against the corporation in regards to previous breaches for wanton and willful disregard and negligence in maintaining patient confidentiality, and HIPPA violations were cited in these lawsuits one of which was filed by attorneys Riley and Jackson.
One also has to wonder whether the phone number given in the notification of this current incident to affected patients leading to an “independant” firm that Emory most likely pays is just another damage control and risk management tactic to abridge the rights of patients to remedies they may be entitled to, or to lull them into a false sense of security by creating the appearance that the corporation is actually fixing the problem.
I brought this vulnerability to the attention of upper and middle management 2 years ago and instead of thanking me for giving them the means with which to protect themselves from potential liability they treated me as a nusance and nothing more than a thorn in their side, then kicked me out. Well it seems their arrogance has come back to bite them.
Not only does their unprofessional and reckless conduct hurt me and other patients, but sooner or later it will hurt them. At some point those charged with regulating them will get tired of incidents coming across their desk and do more than give them the customary admonishment and obligatory slap on the wrist and decide to take serious action to rein this rogue company in, once and for all. Their seeming immunity cannot last forever, and their rule and free pass just may be coming to an end as the list of dissatisfied customers continues to grow.
I tried to point this out back when but they decided to kill the messenger. They didn’t like the message, but all I can say to that is criminals don’t like cops. You can’t reason with an entity that is unreasonable and corrupt and no amount of training of staff or middle or upper management is going to fix a problem like this when the root of it is that too many people (and the wrong people) have access to confidential medical records, and the wrong people, unscrpulous people are running the company.
I have written Health and Human Services to follow up on this new development and to ask again in the interest of the protection of all patients that legislation be written to defend patients’ rights, including the ability of patients to request that their records be sequestered and unavailable for perusal by the usual people who are routinely allowed to view, and/or make notations in their medical records.
How many more people must be hurt before a higher authority will step in and intervene? Patients, especially in the State of Georgia, are at a distinct disadvantage because so much blanket credibility is given to these systems allowing them to gamble with patients’ health, and even their lives.
That needs to change!
This is a cautionary tale of what can happen when corporatons are given too much power. Even if you do not live in Georgia, chances are this problem of insecure patient records management will affect you now or in the future. Many large healthcare systems have similar policies and procedures, so your electronic records could be at risk for identity theft, patient profiling, and worse!