Kaiser Permanente Files New Motions Against the Diva of Disgruntled Blogger

An article in today's San Jose Mercery News reports that Kaiser Permanente filed new motions in an existing lawsuit against a former employee, Elisa D. Cooper, aka the "Diva of Disgruntled" asserting claims based on invasion of privacy and breach of a confidentiality agreement.

This follows up the announcement by Kaiser last week that it was notifying 140 patients in California that personal information, including names, addresses, telephone numbers, medical record numbers and results of routine lab tests, had been posted on the Web. According to the article today:

Kaiser has since acknowledged that it constructed the unsecured technical Web site but said it id not know if patient information was included on it. Cooper said she tried to notify Kaiser about he breach only to be rebuffed, and she subsequently filed a Federal health privacy complaint with the U.S. Department of Health and Human Services, which in turn contacted Oakland-based Kaiser.

Also, the article reports that the California Department of Managed Health Care (DMHC) is investigating both Ms. Cooper and the actions of Kaiser Permanente. The DMHC has also ordered Ms. Cooper to stop posting certian information to her blog.

For more details and some interesting commentary on this matter check out Matthew Holt's most recent post on The Health Care Blog. Also, for more information about Ms. Cooper's termination from Kaiser you can read her post titled "Details of My Termination from Kaiser." You can also see the nature of the complaint that Ms. Cooper filed with the Office of Civil Rights who are responsible for investigating potential violations under the Privacy Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Also check out the March 16, 2005 ComputerWorld article for coverage of this matter.

Kaiser Permanente Gadfly

Matthew Holt's "The Health Care Blog" has an interesting followup post on Kaiser Permanente's announcement last week about the breach of privacy involving patient health information of 140 individuals. The blog post also contains some interesting followup comments by the Gadfly and others.

UPDATE:
Yesterday, March 16, 2005, Matthew Holt posted an update on the outcome of the hearing involving the injunction filed by Kaiser Permanente against the Gadfly. The Gadfly also has a recent post on her blog giving her perspective on the outcome of the injunction hearing. the post is titled "My Morning in Court".

Private Patient Data Posted Online Blog by Disgruntled Former Kaiser Employee

Today I read an article (see below) from the iHealthBeat newsletter reporting on an article which appeared in the March 11, 2005, San Jose Mercury News. This will be the 3rd well published breach of private data in as many weeks (see my post on ChoicePoint and Lexis-Nexis). This is also interesting because it involves blogging and employee issues which is the topic of much debate these days due to some other recent high profile cases.

Based on the comments in the article it appears that a privacy related complaint under the Privacy Rule created under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was filed either by one of the parties involved or the blogger and former employee herself since the Office of Civil Rights is now involved and investigating. The article points out that the former employee may face significant fines and penalties, however the article does not point out that the health care provider responsible for complying with the HIPAA mandates may also face such charges.

I did some quick Googling and seemed to come across the blog of "Diva of Disgruntled" which is interestingly titled "Corporate Ethics". The blog contains a recent post today in response to the news break on the matter.

It will be interesting to watch this one unwind.

Following is the iHealthBeat article:

Kaiser Permanente is alerting 140 patients in Northern California that a disgruntled former employee posted private information about them on her blog, the San Jose Mercury News reports. The information includes medical record numbers, patient names and information about some routine lab tests, but not the test results. Kaiser in January learned of the breach from the federal Office of Civil Rights and has been investigating the issue since then, said Kaiser spokesperson Matthew Schiffgens. However, Schiffgens said Kaiser on Wednesday asked the Internet service provider hosting the blog to remove the data, the Mercury News reports. The former employee, who calls herself the "Diva of Disgruntled," said that the company posted the patient information on an unsecured Web site and that Kaiser took it down only after she pointed it out, the Mercury News reports. She said she reposted the information to another site to illustrate how easy it was for someone to access the information, which she said had been on the Internet for a year. She said she also filed a complaint with the federal Office of Civil Rights. Schiffgens said Kaiser has been unable to confirm the woman's claims that it posted private patient data, but he said the woman still breached her obligation to protect member confidentiality by posting the information herself. Schiffgens said Kaiser might take legal action against the woman, the Mercury News reports. Under HIPAA rules, she could face fines of up to $250,000 and 10 years in prison for unlawfully disclosing patient data (Feder Ostrov, San Jose Mercury News, 3/11).

West Virginia Health Care Authority Issues Draft CON Standards on Cardiac Cath and Cardiac Surgery for Comment

The West Virginia Health Care Authority has published new standards for Cardiac Catheterization Standards and Cardiac Surgery Standards under the State Health Plan. The notice on the West Virginia Health Care Authority's website shows that providers in West Virginia have a 30 day public comment period that ends on April 8, 2005 to comment on the draft standards.

The current Cardiac Catheterization Standards were approved by the Governor of West Virginia on August 22, 2002. The current Cardiac Surgery Standards were approved by the Governor of West Virginia on May 5, 2004.

For those unfamiliar with the Certificate of Need (CON) process, West Virginia has a statutorily mandated CON review process which requires health care provider projects, new services, etc. to obtain CON approval prior to starting the project or new service. The CON review process typical includes the determination of need, consistency with the State Health Plan, and financial feasibility. Need for the project is determined using CON Standards, which generally include population-based quantifiable need methodologies. Financial feasibility includes the evaluation of the reasonableness of proposed charges to patients and the determination as to whether the expense and revenue projections demonstrate fiscal viability for the proposed project. Other review criteria include quality, accessibility, and continuum of care.

Confidential Information on 32,000 People Stolen from Lexis-Nexis Database

Today Lexis-Nexis announced that hackers stole confidential information on 32,000 people. According to an news article from PC World the following information was stolen from a Lexis-Nexis subsidiary called Seisint. PCWorld reports that:

The hackers stole passwords, names, addresses, Social Security numbers, and drivers license numbers of legitimate customers of the company's Seisint division. Seisint collects data on individuals that law enforcement agencies and private companies use for debt recovery, fraud detection, and other services.

Here is a press release issued by Lexis-Nexis regarding the investigation into the privacy breach. Lexis-Nexis acquired Seisint in September 2004 for $775 Million. Due to the privacy breach I suspect that the price of the acquisition just went up substantially.

This is the second high profile breach of confidential health data in as many weeks. In mid February there was a report of a breach of 145,000 individuals confidential information at ChoicePoint. For more information on this particular breach read the following article from PCWorld. Interesting on March 4, 2005 ChoicePoint announced its decision to exit those lines of its business which involve the sale of confidential and sensitive consumer data.

My dad has been experimenting with Hello, software that allows you to share your digital photo, and Picassa, software which allows you to find, edit and organize digital photos that reside on your hardrive. These software downloads are part of Google's positioning to take over the desktop from Microsoft.

I have played around with Picassa and have found it very user friendly and intuitive. I think they have found a niche that needed to be filled. As an example, my dad is one of the most knowlegeable computer uses in the 80+ year old category and has been using computers back to the first macintosh that my sisters and I purchased for him in the late 1980s. However, something that has always been confusing for him is the ability to navigate the Explorer features, how to (and where to) save documents, files and now digital photos. Picassa brings to him the ability to have the software find and organize the photos on his hard drive.

He has been using Picassa for a couple of months and just recently sent me an invitation to join Hello so that we can share digital photos back and forth. I have been meaning to download and try out Hello, since I was interested in the feature that allows me to now share photos up to my Blogger blog (Blogger is another product/business swept up by Google). Above is a test post of a photo of my 9 month old during a recent trip to Florida with her, my wife and my 4 year old.

Pizza and Privacy: ACLU Privacy Video

Today someone referred me to an online video put out by the American Civil Liberties Union (ACLU) to demonstate how technology can be used, even by your local pizza business, to access and reveal sensetive financial, medical, employment and other personal data.

Although the video is done in fun it does make one thing about being more cautious with releasing personal and private information.
v
Here is a press release issued by the ACLU discussing the online pizza delivery privacy video.