News of the theft of a computer containing the personal data of 38,000
cancer patients across five states highlights the evolution of identity
theft. Medical data is now more prized than Social Security numbers, privacy advocates tell internetnews.com.
While Social Security numbers are increasingly common, a medical record of
cancer or AIDS patients is worth its weight in gold, Pam Dixon, executive director of the World Privacy Organization, told internetnews.com. “Cancer patients are big money.” The reason: fraudulent medical charges can easily hide among the many legitimate costs.
The stolen computer belonged to Cincinnati-based Electronic Registry Systems
(ERS), a private company that maintains federally mandated cancer patient records. The computer contained the records from five hospitals, three of which are in Georgia, Tennessee and Pennsylvania. ERS refused to identify the other two.
Emory University-owned Emory Healthcare, which contracted with ERS, advised
cancer patients to place a fraud watch on their credit records. Emory
Hospital, Emory Crawford Long Hospital and Grady Memorial Hospital are part
of the health care group.
However, checking credit records won’t alert patients to fraudulent medical
charges. Affected patients need to check their medical files, Dixon said.
Despite assurances that the computer had two passwords and the data was
encrypted and usable only with proprietary ERS software, Dixon said gaining
access was a simple matter.
“We’re beyond that level of innocence,” she said, adding that files could be read and copied and leave no fingerprints.
ERS said the patient data was stored on the computer unencrypted to convert
the information to its proprietary format. As a result of the theft, the
company said it has made changes to improve security.
In May, a Veteran’s Administration laptop containing the personal data of 29 million veterans was stolen. But the largest medical data breach happened in 2005 when a laptop holding the personal information of 365,000 patients was stolen from an employee of Oregon’s Providence Health System. The data was unencrypted.
Last year, Providence settled with Oregon’s Attorney General, agreeing to
spend millions to correct the blunder.