Identity Theft: Providence Healths Serious Pain

Laureen O’Brien, chief information officer of Providence Health & Services’ Oregon region, was in her office, just back from the 2006 New Year’s holiday. A phone call that Tuesday, Jan. 3, brought news that every CIO dreads. Someone had stolen a computer bag out of a systems analyst’s car four nights before. Gone were 10 computer disks and tapes holding information on what would turn out to be more than 365,000 patients?everything from Social Security numbers and birth and death dates to diagnoses, prescriptions and insurance numbers. Data on doctors was missing, too, including Medicare and Medicaid numbers, state license numbers, names, addresses and phone numbers.

As noted by state Attorney General Hardy Myers, who would soon open an investigation, this was the biggest data breach ever reported in Oregon.

The incident also exposed Providence to a relatively unknown, costly and potentially dangerous variation of ID theft?medical ID theft. Here, thieves can use stolen information to obtain treatment in victims’ names, corrupt their medical records and file false insurance claims.

People whose health records are stolen and falsified may get the wrong medical treatment, find their insurance exhausted or become uninsurable, says Pam Dixon, executive director of World Privacy Forum and author of a report, Medical Identity Theft: The Information Crime that Can Kill You. Medical ID theft "can affect your health and well-being," she warns.

The World Privacy Forum says 500,000 people may be victims of medical identity theft, based on numbers reported by the Federal Trade Commission in 2003. And the problem may worsen, especially as more and more health-care providers move from paper to electronic records, Dixon says.

Then there’s the matter of cost?not just to the direct victims, but the businesses and health-care providers like Providence that incur financial and sometimes legal liability because of pilfered medical records.

Providence has spent $7 million so far responding to the breach. "This was not a cheap mistake," CIO O’Brien says.

"I didn’t have gray hair before."

As one of the largest and most highly recognized health-care providers in the Pacific Northwest, Providence takes pride in using cutting-edge technology to improve patient care. In July, it announce d that one of its facilities, Providence Portland Medical Center, was among the "nation’s 100 Most Wired Hospitals and Health Systems" named by Hospitals & Health Networks magazine. The award is based on using information technology to improve quality, satisfaction and patient care and reduce medical errors.

Providence serves five states, such as Oregon and Washington, and regional executives oversee local offices and their technology departments. At most facilities across the company, employees back up data daily to tapes and disks and send it off to be stored in a secured building, O’Brien says. But at the company’s Home and Community Services unit in Portland, which cares for frail and elderly patients in their homes, employees took the backups home themselves, in their own cars, she says.

Now, 12 months later, the nonprofit medical provider finds itself mired in the consequences, in an ordeal that may continue for years. As patients worry that someone has messed with their finances or medical records?and as two of them press a negligence lawsuit against Providence in county court?Providence is fighting to save its reputation for reliability and trust.

In its scramble to respond to the New Year’s theft, Providence hired NTI Data Forensics, a computer forensics and security company in Bellevue, Wash., to figure out exactly what data was lost. Providence sent two letters, one to notify patients of the theft and the second to offer free credit monitoring and restoration to protect their identities. Patients who lost financial data also got phone calls. The company also set up special call centers to answer questions; bought patients two years’ worth of credit-monitoring and restoration services from Kroll, a New York-based firm that helps companies manage security risks; and contracted with business and technology solutions provider EDS to audit its security practices and suggest changes.

Providence’s attorney, John McGrory, insists there are no verifiable cases of identity theft from the burglary, even though Providence doesn’t know where the data is or who took it. The sheriff’s office in Clackamas County, where the theft happened, has no suspects and has suspended its investigation.

"I’m not excusing it or the conduct of Providence or saying it’s OK, but with the society we live in ? [loss of personal data] is happening," McGrory told Judge Marilyn Litzenberger at a hearing in Multnomah County Court in Portland on Nov. 3. "It results in financial loss in a very infinitesimal percentage of times."

But others, including Kroll, which is working with Providence, say identity theft is a serious problem, a crime where people are combining stolen information to get jobs, housing, health benefits and?if they can avoid being detected by the credit bureaus?credit, all in someone else’s name. "I believe there are more breaches for the purpose of identity theft every day," says Troy Allen, Kroll’s chief fraud solutions officer. "It’s an organized, violent felon crime where people know how to get access to large organizations."

Next page: HIPAA Enforcement: A Wrist Slap