have stolen the social
security numbers, medical
history, of over 160,000
women at UNC
UNC's Health Record Breach Raises Questions About the Safety of EHR
October 02, 2009
by Brendon Nafziger
, DOTmed News Associate Editor
Hundreds of thousands of medical records might have been compromised by an electronic break-in of the University of North Carolina-Chapel Hill's radiology department, raising fears over the security of medical records.
Over 160,000 entries of women participating in a mammogram study, called the Carolina Mammogram Registry, had their data potentially accessed.
Of these, around 46,000 had their information "coded," a now standard procedure, so even if hackers saw the registry, they would get no personal information.
But for the other 114,000, the registry listed social security numbers, name, address phone number, demographic information and results from breast exams, according to the hospital.
But UNC is quick to stress that there's no evidence any hacker saw or stole anyone's records.
"We don't know if or where a breach has occurred," Paul Molina, M.D., the vice chair of the radiology department at UNC, tells DOTmed News.
University officials first detected something was amiss in July, discovering traces of malicious code in the registry believed to have been left in 2007. But only last week did they begin sending out letters notifying patients of the possible breach.
Dr. Molina says the months-long delay was caused by the large amount of data in the registry that investigators had to comb through. "Contacting patients unnecessarily was something we wanted to avoid," he says.
The investigation is ongoing. Already, the number of women whose info might have been accessed has been downgraded from the 236,000 initially reported on Monday to 160,000.
The registry, one of the largest data storehouses for breast cancer research, was created to "improve breast cancer detection and to guide avenues of research in the area of breast cancer," says Dr. Molina.
Some experts believe university servers are more vulnerable to hacking because they're decentralized - not under the protection of a main secure server, as was the case with UNC's mammography database.
"It was pretty much on its own," says Dr. Molina. "I think that is one thing that may come out of this security breach, is whether or not other servers currently existing on campus will be brought under some central umbrella."
But John Travis, a senior director at Cerner, one of the leading electronic health records companies, doesn't think that university hospitals are necessarily at a greater risk.
"The nature of the way the data is spread across multiple systems and the security of the systems are more important factors contributing to vulnerability than being a university hospital," he tells DOTmed News in an email.
Tightening the screws on security
In order to keep their electronic health records (EHRs) secure, Travis believes hospitals should regularly audit access rights -- checking to see who's allowed into the system, and who's been there recently.
He also notes that under a "safe harbor" provision in federal law, if hospitals encrypt their data, they don't always have to notify patients of possible breaches.
But Travis believes encryption isn't the answer to everything, and that hospitals should "use their security risk assessment to inform their decisions about where encryption makes the most sense to mitigate risk of theft, loss or intrusion" given what's involved in its use.
He suggests that data going over wireless networks or stored on backup disks away from the hospital are the best candidates for encryption.
Risks vs. benefits
Travis says despite the risks highlighted by the UNC story, EHR systems offer a huge benefit in error reduction.
"There have been real-life examples of nurses administering the wrong dose of a medication because the packaging looked similar, resulting in patient harm and even death," he writes. "If a bar code medication administration system that required the nurse to verify that the medication was the right dose for the patient prior to administration had been in place, these types of errors may have been avoided."
With the recent announcement of a Health and Human Services grant of $20 million for expanding EHR services, there could be a big boost in hospitals going paperless.
"Government incentives will likely spur the adoption of EHR technology," writes Travis, "but more importantly, hospitals are looking to adopt the technology as a way to improve patient safety and satisfaction and provide clinicians with access to critical patient data in near-real time."