Simple human error made the private medical records of 45 patients at Grady Hospital in Atlanta, Georgia available on the internet. The hospital outsourced note transcription to a firm in Marietta, Georgia, who then outsourced it to a contractor in Nevada, who in turn outsourced it to a firm in India. Workers at the Indian firm allegedly caused the breach. Luckily, the exposed information did not include social security or credit card numbers. There was no evidence of theft, and it does not appear that the patients were harmed.

It is unlikely that smaller practices would be vulnerable to this kind of incident. Most practices probably do not have their own intranets, so it would be difficult for their patient records to be made available on the internet. However, some electronic medical records that use the Active Server Pages (ASP) model utilize a web-based interface. There is a risk that these EMR systems could be compromised. The vendors usually take every precaution to lock down their systems; so the risk is small.

The real lesson is to be wary of outsourcing work. While it is not always efficient to do everything in-house, practices should exercise caution when working with third parties. Make sure the contract stipulates that whomever you’re contracting with will perform the work themselves, and not outsource it to someone else. Not only is the recursive outsourcing seen in the Grady incident somewhat absurd, it’s also a huge security risk. Instead of one firm having access to protected health information, three firms and an unknown number of employees now have access.

read the story

Ryan Ricks
Security Officer