It isn't that Dan W is that mad... nor is it that Cardinal lost all of these
records...it is that the information was concealed from US government
These comments are pretty amazing - such a wide range of emotions and thoughts.
Personally, my first consern was simply that UPS did not return to sender (as
several mentioned) as USPS usually does. I mailed a package to my son in Germany
by USPS once, with an old address and it was returned to me...granted it took
several weeks, but it came back! Why not with UPS? Was the return label missing
or not added? I will hesitate to send through UPS now that I am not sure mis
marked items will not be returned to me. I do not think litigation is in order
here but an investigation to see what went wrong to ensure it is not happening
more than we know and perhaps a fine under HIPAA but we are just too quick to
sue these days!And Dan W.,after going over all this again, I guess I
totally missed whatever you were upset about so...must not have been that bad...
This is Dan Walsh. I am deeply disturbed by this invasion of my privacy. I find
your comments to be abusive, offensive, off-topic and misrepresentative of me
and my company. Sir, my lawyers will be in touch.
If you were in a hospital between 2000-2005 (maybe longer) and received drugs
from a Pyxis machine your records are out there. Your records were "encrypted"
but the file with the passwords was on the same disk and it was not encrypted.
So by the letter of the law, according to Dan Walsh the Chief Compliance
Officer, Cardinal (the maker of the Pyxis machines) did nothing wrong.
OCR will likely not investigate this.1) The hospital was providing the
charts as part of routine operations - a Medicare audit.2) Sending records
the HIPAA Notice of Privacy Practices.How do I know? I am a HIPAA
privacy and security officer for a hospital system. I am a regular speaker on
HIPAA privacy and security.
Oops - I meant UPS did NOT provide the service as expected - see how easily
mistakes are made?
we get "bits and pieces" of the story, remember that.The fact remains that UPS
did provide adequate services,not the hospital. They sent the records certified
through a recognized carrier. A good lesson for us all to put more than one
The article states that boxes like this are shipped by hospitals all over the
country all the time. Well, so are IRS records, employment records, bank
records, and many others. It was one mistake. UPS sends millions of items daily
and you people are worried about 20 - 30 people's information that was in one
box! I am sure that people will get fired and people will get sued, but I think
it is just stupid.
Why is everyone confused about who to sue? Tell the family to call the Office of
Civil Rights of the Dept of Health and Human Services. That will start a
government investigation. It sounds like the hospital is a "covered entity"
under the Federal Privacy of Health Information law called "HIPAA".
Unfortunately as long as humans are involved, mistakes will occur - fact.
Realistically, med records are pretty secure - can they made more secure - sure,
but it costs money and there is a point of diminishing returns. Any entity that
incurs greater cost must in turn pass them on - everyone wants 'more privacy',
the real question is how much do we (society) want to pay for 'more privacy'Another unfortunate fact is that the Personal ID never came about. This
forces medical and insurance entities to use SSN to know that Becky Smith,
Rebecca Smith and Becky Jones (now married) is one in the same and medical
histories and insurance records should be linked. There are multiple entities,
many of whom never see the patient face-to-face (ie labs, xray reads, etc.) that
must have some simple, accurate identifier to get the right information on the
right person to the right place.
Re: WaneeYou're absolutely right. It would be dangerous for it to
fall into unscrupulous hands. So I'm going to destroy it as soon as possible. I
have been using the 16 millimeter film to test the readers I repair but I can
always order in a few blank rolls of film. Still, it's amazing to me
that those who request this information are so careless with it. Fortunately,
like the hospital records listed in the story, it fell in to the hands of
someone who is honest.
Simmer down. I understand that there is a possibility of identity theft, but
most of the outraged commenters don't seem to be worried as much about that as
the 'chance' that 'someone' could know they went to the hospital. Who cares?
Guess what: I take anti-depressants and went to see the doctor 4 times last
year for MRSA. If you don't know, it stands for Methicillin Resistant
Stapholococus Aurea (yeah, I know it is probably misspelled) and it could cause
death if left untreated. Ooooh! I feel so violated that someone might see that
on the web.
re rvalens2:I think it's unethical of you to keep that kind of
information. If the data were stolen from you, I would consider you an
accessory to identity theft. Several times over the years I have accidentally
come into possession of private information and have shredded it immediately.
Sorry Bob, my comments were meant for "Bob G" not yourself. Just slipped up on
adding the "G."
re rvalens2:I wasn't talking about laws. I was talking about a
company that helps other companies comply with the law by managing all stages of
sensitive documents' life.
Re: BobWe already have a law that does most of what you propose.
It's called the HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996.
Public Law 104-191, 104th U.S. Congress. It was passed in 1996.Here
in a nutshell is what it says about the security of our health records.(2) SAFEGUARDS.--Each person described in section 1172(a) who maintains or
transmits health information shall maintain reasonable and appropriate
administrative, technical, and physical safeguards--(A) to ensure
the integrity and confidentiality of the information;(B) to protect
against any reasonably anticipated--(i) threats or hazards to the
security or integrity of the information; and(ii) unauthorized uses
or disclosures of the information; and(C) otherwise to ensure
compliance with this part by the officers and employees of such person.Passing laws is not the problem. It's the compliance part; since no one is
checking to make sure the law is being followed.We pass laws all the
time. The punishment for wrongful disclosure can be as much as 10 years in jail
and a $250,000.00 fine, but the government gets to keep the money and you are
left to deal with the problems.
I live in Florida and my husband has had several things done at this hopsital.
How do I know if his information was among this box? No one has called me on
anything. This frankly still makes me nervous!
What we need are laws prohibiting the use of social security numbers by
unauthorized businesses and people, including insurance companies, credit
reporting companies, and hospitals, etc., etc., etc. The only authorized use of
the SSN should be the IRS, the SSA, and perhaps law enforcement for restriced
use. Medical and personalrecords should be shipped only by courier and on a
signature basis at both ends of shipping. If a shipper cannot deliver a package
they should be required to return it to sender instead of putting in a dead file
or lost file to be sold or disposed of, often for profit as UPS does. This NPS
store, in Salt Lake City, is a primary buyer of items that UPS fails to deliver
or gets lost in transit in world wide deliveries. UPS relies too heavily on
insurance claim adjustments than quality of service and delivery. I have seen
these packages and they do have legible sender addresses but they don't make
much, if any effort, to return undeliverable goods. There should be a
requirement for any delivery service, public or private, have a return to sender
policy in place. Personal information getting classified as lost should never
Who to sue? Why sue anybody? In the end no wrong came about. We Americans are
way too sue happy. It was a mistake. Get over it!!!
What happened to the rest of the records that went to the school class? Are
these 4th graders now living high on someone else's credit? Are they buying
ipods? Or were the records returned to the hospital? Terrible reporting to not
include all of the information, other than the sensational bits, that is.
Marcy the attorney was trained well. Trying to figure out just who has the
deepest pockets - that's who will be sued! Taking the SSN off of the UT death
certificates won't do a thing. The Social Security Death Index, put out by the
U.S. Government has them. Access to that data base on the internet is available
from many different genealogical sites. If you to go to the SS site, you will
read that with the new, electronic setup, when a lender or anyone searching for
a SSN given in any transaction/application is checked, it will come up "dead" &
is a flag for all that fraud is in progress. Problem is, not everyone checks to
see if the number is valid - the person is alive.
It sounds like this hospital needs the services of Recall Total Information
Management. It's a great company that securely stores or destroys sensitive
documents for clients across North America.
Yes, I agree this is crazy. But, my goodness the first question raised was who
to sue? UNREAL? Have you ever made a mistake that went against all your safety
nets. We wonder why the world is at war. People do their best and sometimes
there are mistakes. Let us not forget all you Christians (of which I am one)
there was only one perfect person, the rest of us may make mistakes from time to
I have in my possession a microfilm with the names, addresses, social security
numbers, birth dates, phone numbers, age, closest relatives, personal contacts
and medical conditions of hundreds of Utahns, most of whom live in the Salt Lake
City area.How did I get the information? It came attached to a
microfilm reader printer. The records were evidently microfilmed for a doctor in
the Salt Lake City area. Later, when the reader printer was sold as salvage, the
records came along for the ride.Do you really think anybody out
there is concerned with protecting your private data? Balderdash.So
why do I still have them? Mainly, to prove to skeptics that no one is protecting
our personal data. Whenever I hear that the government wants to give us all
scannable REAL ID cards, I just want to laugh. I guess they want to
make it easier for criminals to steal our personal information. As it now, they
would have to club you over the head for it.
I just did a web search for the hospital and looked at their "privacy" policy on
their web site. It's funny! They have a lot of words and cautions and
conditions -- but waited weeks when they KNEW records were missing and didn't
tell any of their patients. I hope someone takes them to the cleaners for
violating their own policies and not caring enough to even warn the people
impacted! This is a big story!
What a callous attitude!!! With highly personal records? I am outraged! Having
recently been hospitalized, I would be VERY upset if my records found their way
to some school kids!! Let's see, a whole box? What, 4,000-5,000 pages? And
it's a shipping problem? What? Some under-paid UPS part-timer could
not notice these were some kind of medical records? UPS "has a policy" and
their policy is only as good as their employees. And the hospital hasn't been
bothered to notify people their records were missing? UNREAL!!!The
story doesn't say, but I'm interested in where the records went? Did they get
shredded? Were they returned? Or are they in the Deseret News underground
vault? Inquiring minds want to know!UPS, your "extensive and
technologically advanced system" failed. Your "inspection" failed. With all
the attention on ID theft, this is very troubling!