Most of the data breaches I read about in the news are from computer systems. Either someone lost a laptop with patient records or social security numbers, or someone hacked into a server with credit card numbers. With all the high tech ways of doing things, we may lose sight of the low tech methods of stealing information.
According to Wikipedia, dumpster diving is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver. Do you remember the famous scene in the movie Animal House, where Bluto and D-Day go sifting through the trash to find the answers to a test everyone is taking? Think about people doing that looking for patient records, social security numbers and the like.
A recent article in the Boston Globe talks about patient information from four (4) Massachusetts hospitals winding up at a city dump. These were paper documents and nothing was shredded. By law, medical records and documents with personally identifiable information (PII) must be destroyed to protect personal privacy. Sending them to the city dump clearly violates the law. Someone wasn’t thinking.
This sounds like a chain of custody problem that attorneys and others in the legal and law enforcement professions face. Think about all the people and organizations that touch a patient’s confidential information. An insurance company has social security numbers and patient procedures, so they can pay claims. The doctors and nurses involved in care have information on diagnosis and treatments. If a pharmacy is involved, they know about prescriptions. Admissions and billing people know all about patient records so they can admit patients and bill insurance companies. Some of the people may be internal to a hospital or medical practice and many may be outside service providers. The number of people who can access your and my medical records is very large. And how they handle that information is important.
Much of this information is electronic, but the vast majority also exists on paper. Between filling out admissions forms in a waiting room to receiving an EOB (explanation of benefits) form in the mail, your information is everywhere. At least at home, you and I can make sure we shred any papers with this information, but when it comes to our providers, we have to trust that they are taking the same precautions.
It is important to lock down your computer systems against hackers and insider threats, but we need to make sure that the old fashioned ways of stealing confidential information are put out of business. Using a $50 shredder could save a lot of grief. As I always say to my kids, “Take a minute to think before you act”.
Photo credit shoguncdn