In the latest example of employee data-snooping, a Kaiser Permanente hospital located in a Los Angeles suburb has fired 15 workers and reprimanded eight others for improperly accessing the medical records of Nadya Suleman, the California woman who gave birth to octuplets in January.
The unauthorized accessing of Suleman's electronic records at the facility in Bellflower, Calif., violated a California law designed to safeguard the privacy of health care data, according to Kaiser spokesman Jim Anderson. He said the improper activities were discovered through increased network-monitoring procedures put in place by the hospital in connection with the birth of the octuplets.
Kaiser also conducted extra training to remind hospital employees of the need to keep patient data confidential, Anderson said.
The snooping incidents highlight the lack of adequate data-security controls at hospitals and other health care organizations, said Deborah Peel, who heads the Patient Privacy Rights Foundation in Austin.
Peel claimed that such privacy breaches occur on a broad scale because of the health care industry's continued reliance on "primitive" user-access controls. At large enterprises like Kaiser, she noted, thousands of workers may be able to access patient data, even if they don't need to do so.
In a similar case, the medical center at the University of California, Los Angeles, disclosed last April that as many as 165 doctors and other workers had improperly accessed the medical records of numerous celebrities over a 13-year period.
But such incidents aren't restricted to the health care industry. In January 2008, federal officials disclosed that U.S. Department of State employees and contractors had snooped in the electronic passport records, including then-Sen. Barack Obama's.
Jay Cline, president of Minnesota Privacy Consultants, thinks the "Facebook effect" is partly to blame. Users of social networks "have become used to poking through other people's profiles," Cline said, "and they see no ethical difference doing the same thing with employee and customer databases."
He added that IT and security managers need to make three things clear to employees: "Our systems are not Facebook. We're watching system usage closely. Use them for authorized purposes only, or you may be fired."