Laureen O'Brien, chief information officer of Providence Health & Services' Oregon region, was in her office, just back from the 2006 New Year's holiday. A phone call that Tuesday, Jan. 3, brought news that every CIO dreads. Someone had stolen a computer bag out of a systems analyst's car four nights before. Gone were 10 computer disks and tapes holding information on what would turn out to be more than 365,000 patientseverything from Social Security numbers and birth and death dates to diagnoses, prescriptions and insurance numbers. Data on doctors was missing, too, including Medicare and Medicaid numbers, state license numbers, names, addresses and phone numbers.
As noted by state Attorney General Hardy Myers, who would soon open an investigation, this was the biggest data breach ever reported in Oregon.
The incident also exposed Providence to a relatively unknown, costly and potentially dangerous variation of ID theftmedical ID theft. Here, thieves can use stolen information to obtain treatment in victims' names, corrupt their medical records and file false insurance claims.
People whose health records are stolen and falsified may get the wrong medical treatment, find their insurance exhausted or become uninsurable, says Pam Dixon, executive director of World Privacy Forum and author of a report, Medical Identity Theft: The Information Crime that Can Kill You. Medical ID theft "can affect your health and well-being," she warns.
The World Privacy Forum says 500,000 people may be victims of medical identity theft, based on numbers reported by the Federal Trade Commission in 2003. And the problem may worsen, especially as more and more health-care providers move from paper to electronic records, Dixon says.