The other day, I was coming home from work and witnessed a troubling site. A couple roughly my age with their dog in tow, obviously down in the luck department, were walking down my back alley in the city of Milwaukee, going through recycling bins and taking out aluminum cans by the dozen in an obvious cash grab. Because Milwaukee has mandatory recycling, this activity is considered theft of city property and is illegal. As a compliance officer, it may strike some as disturbing that I didn’t report this activity immediately to the police. In my defense, it’s never a pleasant moment when the less desirable realities of an economic downturn arrive so starkly at your door, but it is not my duty as a member of the human race to jeopardize the survival of someone else if I face no imminent or immediate personal threat.
History teaches us that increasing levels of desperation become a threat to everything in their midst. Primary among human instincts is the instinct for survival. If established tools of survival in a civilized society are threatened - the big three being food, clothing and shelter – the instinct for survival becomes its own morality, and begins to look for opportunity.
The official unemployment rate in the United States, also known as the U3 index, stands at 9.5% based on the latest statistics available through August. Being a man ruled by facts, I tend to look not at the trumpeted U3 figure, but the U6 unemployment rate, which measures newly unemployed, under-employed and discouraged workers who have stopped looking for work, but still maintain the ability and the will to work. The U6 number stands at a staggering 16.7% currently, and has been as high as 17.1% during 2010.
Taken hand in hand with the home foreclosure crisis, the overall economic picture is beyond bleak. What the chattering class sees is a recession that officially ended in the middle of 2009. What the general public sees is the same economic system that has shifted from manufacturing to services and concentrated wealth into the hands of the few continuing unabated, with the antique promise of “trickle-down” being exposed as a myth. Thinking that jobs will magically appear with this backdrop has become a proposition that has moved from “difficult” to “unrealistic”.
It was with this new reality in mind that I read a story out of Los Angeles this week concerning a privacy breach of roughly 33,000 medical records at Martin Luther King, Jr. Multi-Service Ambulatory Care Center (MLK-MACC).
Files stored at the facility were discovered as missing on July 29th, prompting a search and investigation by the facility, which led to two uncomfortable discoveries. First, the files in question may have been mistakenly marked for destruction. Second, and central to today’s post, the records were subsequently stolen by an employee and taken to a recycling center so he could cash in on the value of the paper contained in the files.
With this new piece of information, it’s time to review our threats to HIPAA privacy. We have identity theft, which was a motivation of the very first HIPAA violation and continues to this day. Next, we have potential unfettered access to information, leading to the more gossipy among those with access spewing forth patient medical data to anyone who is interested. Beyond these and other threats, we can now include an unnatural curiosity for the profit motive of renewable resources.
If I am in charge of compliance at any health care organization, after reading this, I expand my privacy and security focus from “How do I protect patient information?” to “What isn’t nailed down?”. The breach detailed above involves equal parts negligence and opportunism, but this leads me to do an informal exercise with the reader. If you are reading this from your job in the health care industry, I invite you to look around you for a moment and find something containing patient data that can be easily transported and either sold or stripped for cash. Chances are this exercise didn’t take long. I know the most obvious answers to this question, but being a compliance officer, it would be irresponsible of me to supply these to you. I mean, who’s reading this in the first place? If you read my writing with any sense of anticipation, there’s something devious about you that’s well-established.
Anyone who regularly deals with securing protected health information should try to take every threat into account. We’ve long known that your typical identity thief can come into an organization with PHI and wreak absolute havoc. As economic threats to social order continue, I challenge all of those charged with protecting patient data to look outside well-known breach threats and sharpen your focus to include threats posed by the current economy. It is up to each and every organization to determine the best way to assess potential breaches caused by economic circumstances of those with access to data, but as the MLK-MACC breach illustrates, the time to do so has rudely arrived.