“Like it or not, our profession has no choice but to embrace transparency…………” – Darrell Pruitt
Snow de Nism………………….rare but often used term of ancient Rome meaning “what’s under your garment.” Traditional Latin response was “Pruittismo/a!” – Molly Mulebriar
Gut check – Comparing the reactions of a hospital and a dental practice upon discovery of a data breach.
Sit back and watch this dentist shed some friends – just by doing the right thing. But if I don’t say something about the danger of EDRs, I challenge you to name a dentist who will.
“4-year long HIPAA breach uncovered,” by Erin McCann, was posted today on HealthcareIT.
McCann writes: “The five-hospital Riverside Health System in southeast Virginia announced earlier this week that close to 1,000 of its patients are being notified of a privacy breach that continued for four years.”
That is about the same amount of time the Williamsport, Pennsylvania data breach from a dentist’s office went unreported – involving over 9,000 patient records.
McCann: “From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients the employee was a licensed practical nurse, according to a Daily Press account. The breach wasn’t discovered until Nov. 1 following a random company audit.” (Notice that the breach was reported within the required 60 days of discovery).
Also occurring years ago, ten times as many Williamsport dental patients’ records were reportedly discovered in a lost thumb drive. By September 2009, over a quarter of Williamsport citizens’ social security numbers were made available online forever on Piratebay – a renegade file sharing site. In September 2012, a concerned security specialist noticed the downloadable file (called a “torrent”) and dutifully informed the dentist-owner about the 3 year old breach. However, unlike Riverside officials who faced a similar gut check, the dentist chose not to report the incident until he could put it off no longer. That time came when the breach made the local news a few weeks ago – over a year after HIPAA’s 60 day reporting deadline lapsed. How can that not be considered “willful neglect,” which carries HIPAA’s highest fines? It looks like the dentist gambled and lost big.
Riverside Spokesperson Peter Glagola, in a Dec. 29 notice said, “Riverside would like to apologize for this incident. We are truly sorry this happened. We have a robust compliance program and ongoing monitoring in place, and that’s how we were able to identify this breach. We are looking at ways to improve our monitoring program with more automatic flags to protect our patients.”
On the other hand, when the dentist found out that a local reporter was receiving positive responses to his question, “Is this your social security number?” from the dentist’s patients, the dentist hired an attorney to send threatening cease and desist letters to the news station as well as the security consultant who warned him months earlier of patient endangerment.
In light of this misbehavior, do you think if American Dental Association leaders remain really, really quiet about breaches of EDRs they can continue to protect sales of ADA-endorsed The Dental Record dental software as if nothing changed? When conflicts of interest in healthcare interfere with openness, who is always harmed the most?
Like it or not, our profession has no choice but to embrace transparency that leadership fears. It’s not just our patients’ welfare at stake – although that’s a damn good reason in itself.
D. Kellus Pruitt DDS – email@example.com
cc: American Dental Association