A Kaiser Permanente hospital located in a Los Angeles suburb has fired 15 employees and reprimanded eight others for improperly accessing the personal medical records of Nadya Suleman, the California woman who gave birth to octuplets in January.
The unauthorized accessing of Suleman's electronic records at the medical center in Bellflower, Calif., violated a California law designed to safeguard the privacy of health care data, according to Kaiser spokesman Jim Anderson, who said the snooping incidents have been reported to the California Department of Public Health.
The improper activities were discovered as a result of increased network monitoring procedures that the hospital implemented in anticipation of the huge public interest in Suleman following the birth of the octuplets, Anderson said.
"We have known since she came into the hospital that at some point, this would be a fairly widely reported story," he said, adding that Kaiser also conducted extra training before Suleman was admitted to the hospital to remind employees about the importance of keeping patient data confidential.
Anderson said Suleman was first notified of the breaches about 10 days ago, initially to inform her that eight people had accessed her records without authorization. She later was told that Kaiser had found that an additional 15 employees had done so. There is little evidence thus far that any of the fired or disciplined workers accessed the files for any reason other than personal curiosity, Anderson said.
Suleman shot into the public and media spotlight when she became only the second person in the U.S. known to have delivered a set of living octuplets. At the time, Suleman was already the mother of six children — a fact that added an element of controversy to the births, fueling even more interest in her.
Data-snooping incidents such as the one at the Kaiser Permanente Bellflower Medical Center highlight the lack of adequate security controls that hospitals and other entities in the health care industry have for protecting patient records, said Deborah Peel, founder and chair of Patient Privacy Rights, a watchdog group in Austin.
"The state of health IT access controls is abysmal, atrocious and outdated," Peel said. She claimed that what happened at Kaiser "can and does happen" on a broad scale at hospitals across the U.S. because of their continued reliance on "primitive" security controls that haven't been updated in decades.
Unlike in industries such as the financial services sector, where role-based access control is the norm rather than the exception, a wide range of workers at health care providers can get access to patient data whether they need to have such access or not, according to Peel.
Large enterprises such as Kaiser, she noted, can have thousands of individuals with the ability to access sensitive data about patients. "Think what would happen if all the employees at Bank of America had access to all of the customer accounts at all times," Peel said.
Last April, the medical center at the University of California, Los Angeles, disclosed that as many as 165 doctors and other employees had improperly accessed the medical records of numerous celebrities, including Tom Cruise, Farah Fawcett and Britney Spears, over a period of as many as 13 years.
But such incidents aren't solely restricted to the health care industry. In January 2008, federal officials disclosed that employees and contract workers at the U.S. Department of State had repeatedly accessed without authorization the passport records of then-Sen. Barack Obama and his presidential rivals Hillary Clinton and John McCain.
Three people have pleaded guilty to unauthorized computer access charges in connection with the events at the State Department, which also involved snooping in the passport files of other politicians as well as actors, musicians, athletes and media members.
Jay Cline, a Computerworld columnist and president of Minnesota Privacy Consultants, said incidents such as the ones at Kaiser, UCLA and the State Department often cause companies to move employee snooping up higher on their lists of potential data risks. "As a result, they'll impose more pervasive logging and monitoring controls," Cline said via e-mail, adding that he sees that as an "unfortunate" consequence of the breaches.
Cline thinks that the various snooping incidents are at least partly the result of what he described as the "Facebook effect." Social network users "have become used to poking through other people's Facebook and LinkedIn profiles, and they see no ethical difference doing the same thing with employee and customer databases that they [can] access at work," he said.
According to Cline, that makes it incumbent upon IT and security managers to make the following three things clear to employees: "Our systems are not Facebook. We're watching system usage closely. Use them for authorized purposes only, or you may be fired."