by Elizabeth Burke, Patient Privacy Advocate

In the winter of 2019, 45,000 patients of Rush System Health in Chicago and 6,300 patients of Emerson Hospital in Concord, Massachusetts were informed of an incident in which their private medical data was exposed in identical security breaches. The two hospital systems and Miramed, the company who handles their medical claims processing, have not publicly named the individual responsible for this breach, despite claiming to have reported the incident to law enforcement and completing a “detailed forensic investigation.”

If you have ever gone to the doctor or a hospital you have an electronic medical record. Contained within this digital database is a wealth of information about you including, but not limited to, your full name, date of birth, address, social security number, sensitive photos of your body, health insurance information, payment information, place of work, next of kin, members of your household (and in some cases their personal information), a catalog of your physical and mental health history, every blood test result, every prescription and every diagnosis, both past and present.

The information in your electronic medical record is profoundly personal and identifiable. To address this vulnerability the 104th United States Congress and President Bill Clinton enacted the Health Insurance Portability and Accountability Act (HIPAA) on August 21, 1996.  This legislation provides security provisions and data privacy to keep patients’ medical information safe.

When a US-based healthcare professional violates HIPAA they are held personally responsible for their actions both criminally and civilly. The criminal penalty for a willful violation of HIPAA can cost the offender between $50,000 and $250,000 and up to five years in jail.

This is not true for a work force in a foreign country. The Health and Human Services Office of Civil Rights, which is responsible for enforcing HIPAA, does not have extra-territorial reach. This means that an individual of an off-shored work-force does not face the same penalty that a US based professional faces. There is nothing to lose when a healthcare professional in another country violates HIPAA.

So, it shocks most Americans to hear that in some cases their un-redacted medical records are being accessed by foreign work-forces who are not held accountable to HIPAA. This phenomenon is the direct result of the digitization of health records which has allowed a US based workforce to be replaced by cheap labor from foreign countries such as India, The Philippines, and Pakistan.

This brings us to the two identical data breaches that I have reason to believe involved an off-shored workforce. 45,000 patients of Rush System for Health in Chicago, Illinois and 6,300 patients of Emerson Hospital in Concord, Massachusetts had their names, addresses, birthdates, social security numbers and health insurance information compromised through a third party vendor.

The vendor who admitted to the breach is Miramed. Miramed, in their own words, “stands as the premier global provider of business process outsourcing solutions [for] healthcare organizations nationwide.” They are also known for hiring off-shored work-forces in India and The Phillipines to handle medical insurance claims processing. In response to this data breach Emerson hospital claimed in a press release that “A detailed forensic investigation showed that the files were of such poor quality that a third-party did not find the data useful.” Basically assuring everyone that yes, their information was stolen, but don’t worry, most likely no one can do anything with it. Additionally, Miramed reported that the individual who compromised this data has been fired and the incident reported to law enforcement.

However, when I called the police departments in Massachusetts, Illinois, and Michigan (Jackson Michigan is the corporate headquarters of Miramed) as well as FBI field offices in an attempt to find out more about the investigation, I could find no record of Miramed filing charges related to this data breach. None of these entities appear to have been the law enforcement agencies that Miramed claimed it contacted. So, who completed the “detailed forensic investigation?”

More importantly, why was the offender merely fired?  Under HIPAA, this individual should be facing criminal charges which would eventually be made public, yet I have been unable to find the name of the law enforcement agency that conducted the investigation or any charges filed.

During my investigation of The Emerson Hospital and Rush Health System data breaches I called Miramed on four separate occasions. I identified myself as a patient privacy advocate and asked for the name of the law enforcement agency to which Miramed claims to have reported the breach. They have acknowledged that I made multiple calls and informed me that they would not be answering my questions.

My questions remain and I will now ask them publicly: A crime has been committed, what law enforcement agency is handling this investigation?  Who performed the forensic investigation that determined the breach to be “low risk” as described by Deb Song, hospital spokeswoman for Rush System for Health? Did this breach happen in the United States? I can only hope that Miramed will answer these questions and release the name of the person responsible for this data breach.

It’s also important to remember that this data was collected and disseminated in the delivery of life-saving healthcare. Should a seven year old receiving chemotherapy treatment have this level of personal exposure? Is that the price of getting treatment for cancer? There is a saying, “The walls of hospitals have heard more prayers than the walls of churches” and it perfectly captures the sacred trust that patient populations put in their healthcare providers.

Patient populations are owed the full scope of privacy that HIPAA promises them. Undermining HIPAA by off-shoring the processing of medical claims makes patient populations vulnerable and leaves no avenues for justice. The last thing a sick person needs to deal with is trying to wrest their identity back from the hands of someone who got it via the very place they sought treatment.