A week or so ago at my workplace, we had a guest speaker at our weekly staff meeting. The topic? Health care fraud. It was interesting to learn all the different ways in which people commit health care fraud--fascinating even (you would be amazed by some of the things people do).Yesterday, I received the following letter from my doctor:
Dear patient,Wow. So, let's start with this statement:
We are writing to inform you that our computer system was attacked by a computer virus on November 8, 2007. We believe that the purpose of the virus was to use our server to send out e-mails (spam). Our research done on this type of virus indicates this is the case. However, we cannot be sure that patient data was not also accessed. Our server does not contain any credit card information.
The security was breached after an update from our Electronic Medical Record was installed. This update opened up access to the server. We have corrected the problem and reconfigured the server to prevent this from happening again. We are taking every step possible to ensure that your health and personal information remains confidential and secure.
Although at this time it does not seem likely the intruders were after the data on our server, it would be prudent to order a free copy of your credit report to check for unusual or unauthorized transactions. . . . It is also a good idea to watch your insurance EOBs (the forms that explain what the insurance company was charged for and what they are paying) to ensure that you are only being charged for legitimate visits. . . .
Thank you for your understanding regarding this unfortunate hazard of our computer age. Our ultimate responsibility is to provide you with the best health care possible, which would not be possible without taking advantage of an Electronic Medical Record. We are confident in our security updates and hope never to have another such incident.
With our sincerest apologies,
All of us at [my doctor's office]
We believe that the purpose of the virus was to use our server to send out e-mails (spam).Most of us are familiar with these types of viruses, but they apparently didn't get the virus by opening an infected email. The got the virus while updating their EMR system:
The security was breached after an update from our Electronic Medical Record was installed. This update opened up access to the server.Nice. They also admit to being unsure if patient records were accessed. This doesn't sound like an email/spam virus to me . . .
Let's move on to this statement:
Although at this time, it does not seem likely the intruders were after the data on our server . . .Oh please. It doesn't seem likely? Should we discuss what the worst case scenario would look like?
And then:
It is also a good idea to watch your insurance EOBs (the forms that explain what the insurance company was charged for and what they are paying) to ensure that you are only being charged for legitimate visits. . . .Give me a friggin' break. How about advising patients to NOTIFY THEIR INSURANCE COMPANIES to prevent health care fraud from occurring in the first place. Duh. It's also much easier to notify the insurance company than try to watch every EOB that comes your way. Trust me, insurance companies have entire departments devoted to this stuff. Sure, notify the FTC and the credit bureaus (identity theft really sucks--trust me, I know from first hand experience), but I think it's more likely that someone will sell the information to folks planning to commit health care fraud--it's big business these days.
And finally:
Our ultimate responsibility is to provide you with the best health care possible, which would not be possible without taking advantage of an Electronic Medical Record.Really? Dr. Dino, do you have anything to say about this?
I've thought long and hard about whether an EMR is a worthwhile investment for me at this stage of my life and the life of my practice. Over and over again, I find that each pro-EMR argument is based on assumptions that do not apply to me. . . . But so far, no one has been able to credibly show me that the benefits of adopting this new technology outweigh the considerable disadvantages, starting with the initial monetary outlay, when addressed in the specific context of my practice. Read more (it's definitely worth it) . . .So tomorrow, I'll be handing a copy of this letter to my insurer. Then my doctor will be getting a phone call from me asking for additional information . . .
From a patient's perspective, I do understand the benefits of EMR--I realized them first hand after suffering an injury requiring several specialists within the same medical system. And a large medical system normally has the technical staff available to guard against this type of intrusion. A smaller office, such as my doctor's office, doesn't have the resources for the information security needed to guard their patients' records. My doctor's office is very similar to Dr. Dino's office--there are only two doctors (no nurses, medical assistants, or physician's assistants). The doctors are wonderful, and they don't hurry through appointments. But they just don't have the resources available to guard the information held in an EMR.
What are your thoughts?
[Photo credit]
Original comments:
Ha, those evil insurance companies! I think we are more in danger of petty smash and grab identity theft from the electronic medical records than the original fear: insurance companies would tap in and deny coverage to those at risk. Like 1.1 million other veterans, I had my medical/identity data stolen from the VA and got a letter similar to yours. Stay cool! -C