Reader comments
Health files are sold as scrap paper to Utahn

A shipping problem? | 1:26 a.m. March 10, 2008

What a callous attitude!!! With highly personal records? I am outraged! Having recently been hospitalized, I would be VERY upset if my records found their way to some school kids!! Let's see, a whole box? What, 4,000-5,000 pages? And it's a shipping problem?

What? Some under-paid UPS part-timer could not notice these were some kind of medical records? UPS "has a policy" and their policy is only as good as their employees. And the hospital hasn't been bothered to notify people their records were missing? UNREAL!!!

The story doesn't say, but I'm interested in where the records went? Did they get shredded? Were they returned? Or are they in the Deseret News underground vault? Inquiring minds want to know!

UPS, your "extensive and technologically advanced system" failed. Your "inspection" failed. With all the attention on ID theft, this is very troubling!

Check it out | 12:33 a.m. March 10, 2008

I just did a web search for the hospital and looked at their "privacy" policy on their web site. It's funny! They have a lot of words and cautions and conditions -- but waited weeks when they KNEW records were missing and didn't tell any of their patients. I hope someone takes them to the cleaners for violating their own policies and not caring enough to even warn the people impacted! This is a big story!

rvalens2 | 2:33 a.m. March 10, 2008

I have in my possession a microfilm with the names, addresses, social security numbers, birth dates, phone numbers, age, closest relatives, personal contacts and medical conditions of hundreds of Utahns, most of whom live in the Salt Lake City area.

How did I get the information? It came attached to a microfilm reader printer. The records were evidently microfilmed for a doctor in the Salt Lake City area. Later, when the reader printer was sold as salvage, the records came along for the ride.

Do you really think anybody out there is concerned with protecting your private data? Balderdash.

So why do I still have them? Mainly, to prove to skeptics that no one is protecting our personal data. Whenever I hear that the government wants to give us all scannable REAL ID cards, I just want to laugh.

I guess they want to make it easier for criminals to steal our personal information. As it now, they would have to club you over the head for it.

Comments continue below

cool down | 5:55 a.m. March 10, 2008

Yes, I agree this is crazy. But, my goodness the first question raised was who to sue? UNREAL? Have you ever made a mistake that went against all your safety nets. We wonder why the world is at war. People do their best and sometimes there are mistakes. Let us not forget all you Christians (of which I am one) there was only one perfect person, the rest of us may make mistakes from time to time.

Bob | 4:59 a.m. March 10, 2008

It sounds like this hospital needs the services of Recall Total Information Management. It's a great company that securely stores or destroys sensitive documents for clients across North America.

concur | 6:25 a.m. March 10, 2008

Marcy the attorney was trained well. Trying to figure out just who has the deepest pockets - that's who will be sued! Taking the SSN off of the UT death certificates won't do a thing. The Social Security Death Index, put out by the U.S. Government has them. Access to that data base on the internet is available from many different genealogical sites. If you to go to the SS site, you will read that with the new, electronic setup, when a lender or anyone searching for a SSN given in any transaction/application is checked, it will come up "dead" & is a flag for all that fraud is in progress. Problem is, not everyone checks to see if the number is valid - the person is alive.

So what happened to the box? | 8:28 a.m. March 10, 2008

What happened to the rest of the records that went to the school class? Are these 4th graders now living high on someone else's credit? Are they buying ipods? Or were the records returned to the hospital? Terrible reporting to not include all of the information, other than the sensational bits, that is.

Joe | 9:11 a.m. March 10, 2008

Who to sue? Why sue anybody? In the end no wrong came about. We Americans are way too sue happy. It was a mistake. Get over it!!!

Bob G | 9:11 a.m. March 10, 2008

What we need are laws prohibiting the use of social security numbers by unauthorized businesses and people, including insurance companies, credit reporting companies, and hospitals, etc., etc., etc. The only authorized use of the SSN should be the IRS, the SSA, and perhaps law enforcement for restriced use. Medical and personalrecords should be shipped only by courier and on a signature basis at both ends of shipping. If a shipper cannot deliver a package they should be required to return it to sender instead of putting in a dead file or lost file to be sold or disposed of, often for profit as UPS does. This NPS store, in Salt Lake City, is a primary buyer of items that UPS fails to deliver or gets lost in transit in world wide deliveries. UPS relies too heavily on insurance claim adjustments than quality of service and delivery. I have seen these packages and they do have legible sender addresses but they don't make much, if any effort, to return undeliverable goods. There should be a requirement for any delivery service, public or private, have a return to sender policy in place. Personal information getting classified as lost should never happen.

Katrena | 1:11 p.m. March 10, 2008

I live in Florida and my husband has had several things done at this hopsital. How do I know if his information was among this box? No one has called me on anything. This frankly still makes me nervous!

rvalens2 | 1:25 p.m. March 10, 2008

Re: Bob

We already have a law that does most of what you propose. It's called the HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. Public Law 104-191, 104th U.S. Congress. It was passed in 1996.

Here in a nutshell is what it says about the security of our health records.

(2) SAFEGUARDS.--Each person described in section 1172(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards--

(A) to ensure the integrity and confidentiality of the information;

(B) to protect against any reasonably anticipated--

(i) threats or hazards to the security or integrity of the information; and

(ii) unauthorized uses or disclosures of the information; and

(C) otherwise to ensure compliance with this part by the officers and employees of such person.

Passing laws is not the problem. It's the compliance part; since no one is checking to make sure the law is being followed.

We pass laws all the time. The punishment for wrongful disclosure can be as much as 10 years in jail and a $250,000.00 fine, but the government gets to keep the money and you are left to deal with the problems.

Bob | 2:29 p.m. March 10, 2008

re rvalens2:

I wasn't talking about laws. I was talking about a company that helps other companies comply with the law by managing all stages of sensitive documents' life.

rvalens2 | 2:39 p.m. March 10, 2008

Sorry Bob, my comments were meant for "Bob G" not yourself. Just slipped up on adding the "G."

Wanee | 3:01 p.m. March 10, 2008

re rvalens2:

I think it's unethical of you to keep that kind of information. If the data were stolen from you, I would consider you an accessory to identity theft. Several times over the years I have accidentally come into possession of private information and have shredded it immediately.

Anonymous | 4:02 p.m. March 10, 2008

Simmer down. I understand that there is a possibility of identity theft, but most of the outraged commenters don't seem to be worried as much about that as the 'chance' that 'someone' could know they went to the hospital. Who cares? Guess what: I take anti-depressants and went to see the doctor 4 times last year for MRSA. If you don't know, it stands for Methicillin Resistant Stapholococus Aurea (yeah, I know it is probably misspelled) and it could cause death if left untreated. Ooooh! I feel so violated that someone might see that on the web.

rvalens2 | 6:17 p.m. March 10, 2008

Re: Wanee

You're absolutely right. It would be dangerous for it to fall into unscrupulous hands. So I'm going to destroy it as soon as possible. I have been using the 16 millimeter film to test the readers I repair but I can always order in a few blank rolls of film.

Still, it's amazing to me that those who request this information are so careless with it. Fortunately, like the hospital records listed in the story, it fell in to the hands of someone who is honest.

wyliec2 | 11:48 a.m. March 11, 2008

Unfortunately as long as humans are involved, mistakes will occur - fact. Realistically, med records are pretty secure - can they made more secure - sure, but it costs money and there is a point of diminishing returns. Any entity that incurs greater cost must in turn pass them on - everyone wants 'more privacy', the real question is how much do we (society) want to pay for 'more privacy'

Another unfortunate fact is that the Personal ID never came about. This forces medical and insurance entities to use SSN to know that Becky Smith, Rebecca Smith and Becky Jones (now married) is one in the same and medical histories and insurance records should be linked. There are multiple entities, many of whom never see the patient face-to-face (ie labs, xray reads, etc.) that must have some simple, accurate identifier to get the right information on the right person to the right place.

JEA | 12:33 p.m. March 11, 2008

Why is everyone confused about who to sue? Tell the family to call the Office of Civil Rights of the Dept of Health and Human Services. That will start a government investigation. It sounds like the hospital is a "covered entity" under the Federal Privacy of Health Information law called "HIPAA".

John | 2:40 p.m. March 11, 2008

The article states that boxes like this are shipped by hospitals all over the country all the time. Well, so are IRS records, employment records, bank records, and many others. It was one mistake. UPS sends millions of items daily and you people are worried about 20 - 30 people's information that was in one box! I am sure that people will get fired and people will get sued, but I think it is just stupid.

medrecer | 4:01 p.m. March 11, 2008

we get "bits and pieces" of the story, remember that.The fact remains that UPS did provide adequate services,not the hospital. They sent the records certified through a recognized carrier. A good lesson for us all to put more than one label on!

medrecr | 4:09 p.m. March 11, 2008

Oops - I meant UPS did NOT provide the service as expected - see how easily mistakes are made?

HIPAA-man | 11:45 a.m. March 12, 2008

OCR will likely not investigate this.
1) The hospital was providing the charts as part of routine operations - a Medicare audit.
2) Sending records via UPS/FedEx/US Mail etc. is legal and addressed specifically under HIPAA.
3) The privacy policy posted on the website complies with the federal law for the HIPAA Notice of Privacy Practices.

How do I know? I am a HIPAA privacy and security officer for a hospital system. I am a regular speaker on HIPAA privacy and security.

Bob | 1:00 p.m. March 12, 2008

If you were in a hospital between 2000-2005 (maybe longer) and received drugs from a Pyxis machine your records are out there. Your records were "encrypted" but the file with the passwords was on the same disk and it was not encrypted. So by the letter of the law, according to Dan Walsh the Chief Compliance Officer, Cardinal (the maker of the Pyxis machines) did nothing wrong.

Dan Walsh | 7:47 a.m. March 14, 2008

This is Dan Walsh. I am deeply disturbed by this invasion of my privacy. I find your comments to be abusive, offensive, off-topic and misrepresentative of me and my company. Sir, my lawyers will be in touch.

Anonymous | 1:14 p.m. March 17, 2008

These comments are pretty amazing - such a wide range of emotions and thoughts. Personally, my first consern was simply that UPS did not return to sender (as several mentioned) as USPS usually does. I mailed a package to my son in Germany by USPS once, with an old address and it was returned to me...granted it took several weeks, but it came back! Why not with UPS? Was the return label missing or not added? I will hesitate to send through UPS now that I am not sure mis marked items will not be returned to me. I do not think litigation is in order here but an investigation to see what went wrong to ensure it is not happening more than we know and perhaps a fine under HIPAA but we are just too quick to sue these days!

And Dan W.,after going over all this again, I guess I totally missed whatever you were upset about so...must not have been that bad...

Bob | 4:59 p.m. March 18, 2008

It isn't that Dan W is that mad... nor is it that Cardinal lost all of these records...it is that the information was concealed from US government regulators.

Add your comment

Comments are monitored. Any comments found to be abusive, offensive, off-topic, misrepresentative, more than 200 words or containing URLs will not be posted.

Words Remaining

E-mail address: For internal use only. We may want to contact you to publish your comment (not your e-mail address) in the newspaper or for a separate story idea.