As the federal government pushes harder for electronic sharing and storage of medical records, privacy and security advocates have been raising concerns about the potential for data breaches and misuse and a new government report supports those fears.
A report issued by the Government Accountability Office (GAO) reveals that privacy breaches have been rampant among state, national, and military health care agency contractors since 2004.
According to the GAO report, 40 percent of health insurance contractors and state Medicare/Medicaid offices experienced data breaches in the last two years.
The report also found that vendors contracted to provide health technology needs heavily outsourced their work to other contractors, many of whom may have been outside the United States.
Although the agencies surveyed rarely outsourced their work offshore directly, "[s]ome federal contractors and state Medicaid agencies did not always know whether their domestic vendors engaged in further transfers of personal health information domestically or offshore. Others indicated that they did not have mechanisms in place to obtain such information," the report said.
Among the report's findings:
One privacy breach occurred in 2004 when a vendor tasked to collect data from patient surveys in California outsourced the task to another vendor, who designed the survey in such a way that patients could see others' personal information. An offshore vendor for another project blackmailed the agency with threats of disclosing patients' personal information unless they received payment for their transcription services.
The agencies overseeing the Medicare, Medicaid, and TRICARE military health programs have differing requirements for reporting privacy breaches. While the TRICARE Management Agency (TMA) required notification of privacy breaches from all of its contractors, the Centers for Medicare and Medicaid Services (CMS) did not require it from Medicare Advantage plan contractors or state Medicaid agencies. In comments appended to the report, CMS concurred with the findings and detailed its plans to improve practices.
The GAO recommended that the agencies extend their privacy practices to all contractors and subcontractors, and perform regular monitoring and oversight of every vendor they use to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA), and the 1974 Privacy Act, both of which regulate government agencies' collection of personal and medical data.
"We believe that federal contractors and state Medicaid agencies should be held accountable for how well personal health information, held by them or disclosed to their vendors, is protected," the report concluded.
It's not the first time the GAO has taken government agencies to task for failing to secure Americans' personal data in their operations.
A September 2005 report found that while agencies such as the IRS and FBI had authorized some data privacy regulations, none of the agencies surveyed had fully implemented all of the necessary rules to ensure privacy needs were met.A January 2006 report found that government agencies had vastly different requirements for the handling of Social Security numbers by contract vendors the agencies outsourced business to. This led to "gaps in oversight," and potential dangers for data breaches.
In the wake of the massive Veterans' Administration data breach stemming from the theft of a laptop, government agencies have said they are scrambling to lock down data and institute new privacy and security safeguards. But the number of reported breaches indicates there is still much more work to be done.