Breaking: 638 Brigham & Women’s Patients Warned That Doctor Lost Hard Drive

This release just in from Brigham and Women’s Hospital:

Brigham and Women’s Hospital Notifies 638 Patients of a Potential Data Breach
Device containing patient information lost

Boston, MA – An external hard drive belonging to a Brigham and Women’s/Faulkner Hospital (BW/F) physician was lost on June 21, 2011. BW/F has sent letters to notify the 638 patients whose medical information may have been on the device.

The following information related to inpatient hospital stays from July 10, 2009 to January 28, 2011, may have been present on the device: patient name, medical record number, dates of admission, medications and information about diagnosis and treatment. The information did not contain Social Security numbers, insurance numbers or other financial account information.

“BW/F takes the privacy and security of our patients’ information very seriously. We are taking steps to reduce the risk of such events occurring in the future, including addressing the incident specifically with those involved, reviewing and augmenting our policies and procedures, and enhancing our training regarding technical safeguards required on external hard drives that may contain sensitive data, as well as limiting the amount of data stored on such devices,” said Sue Schade, BW/F’s chief information officer.

“It is fortunate that no Social Security numbers or financial information were included in the information that was lost. We have no knowledge that the information on this device has been accessed. However, as a precaution, we are offering affected patients identity protection services,” said Schade. “We apologize for any inconvenience and deeply regret any concern this situation may cause our patients.”

Patients who require additional information, or have questions can call toll free at 877-694-3367.

I’m immediately cast back to the last big news story about a data breach: Those Massachusetts General Hospital records that were left on a subway. They included records of HIV patients. The hospital ultimately agreed in February to pay $1 million to settle claims that it had violated patient privacy. That story is here.

What baffles me is that both Mass. General and the Brigham have some of the most advanced electronic medical record systems around. Personally, at this point I’d say I’d rather have my records in the cloud than on an external hard-drive: I’m less afraid of hackers than of absent-minded staffers…

The ‘Oreo Problem’: When Drug Marketers Know Too Much About Doctors

Imagine you’re shopping in the supermarket cookie aisle and a gorgeous, charming salesperson for Nabisco comes up to you and says, “We’ve noticed that you used to buy Oreos, but lately, you’ve switched to Nutter Butters instead. We’d really like to get you back to Oreos. May I offer you these free samples?”

I don’t know about you, but I’d feel a pretty deep sense of offensive intrusion. Yet that is pretty much how it works with prescription drugs: salespeople have immensely detailed information on the prescriptions written by each doctor, and they can use it to make their marketing as specific and effective as possible. Only in the drug industry, it’s much more concerning than the cookie industry.

Prof. Kevin Outterson, co-director of the health law program at Boston University School of Law, points out: “If it’s Oreos, it’s only a snack and I’m buying them for my family. What we worry about for physicians is that they’re making an important medical decision for somebody else. We’re trusting the physician to make the right decision, without inappropriate influence from drug companies.”

In the latest New England Journal of Medicine, online today, Kevin writes here about Vermont’s recent attempt to fix what we could call “the oreo problem” in drug sales. Vermont passed a law that barred pharmacies from selling doctors’ prescribing data to data miners and drug companies — unless the doctors themselves opted in. (Names of patients are protected by HIPAA, the federal medical privacy law, but names of doctors are not.)

The Supreme Court recently shot down that Vermont law, so drug companies remain free to buy information that helps them market their drugs better to each doctor. Kevin’s article analyzes that decision and looks ahead at its implications. We asked him to explain.

Q: Why is this issue important enough to merit inclusion in a top medical journal?

The medical profession has been interested for a while in how pharmaceutical companies are marketing to doctors. They’ve devoted a lot of articles and commentary over the years to whether doctors are making correct clinical decisions or whether they’re being inappropriately influenced by advertising and marketing and promotion.

Being able to identify prescribing patterns is very powerful to the companies. If they send in a drug detailer with a certain tactic, or if they meet with the doctor at a convention, or if they hire the doctor to give speeches, the company can track in real time, every day, the impact of all these activities. If a certain doctor is given free samples of a drug, they can then track over the next weeks or months whether the doctor has written new prescriptions for the drug. If the doctor doesn’t, they can go in and try to modify their behavior. They can ‘punish’ doctors who are not writing the scripts and reward those who do. If they know a doctor has recently switched and is prescribing more of a rival drug, they can go in and say something negative about the rival drug. Continue reading

Supreme Court Strikes Down VT Prescription Privacy Law

The Supreme Court has just struck down Vermont’s prescription privacy law, reports Kevin Outterson, associate professor at Boston University and blogger at The Incidental Economist.

The Associated Press:

WASHINGTON (AP) – The Supreme Court has struck down a Vermont law that forbids drug manufacturers from using information about the prescription drugs doctors prescribe to tailor their sales pitches to physicians.

In a 6-3 ruling Thursday, the court ruled in favor of the data mining companies that compile the information and sell it to pharmaceutical companies.

Justice Anthony Kennedy said in his majority opinion that the Vermont law violates the speech rights of the companies.

Kevin Outterson’s bottom line, in his post here: “Vermont can fix this, but this case spells trouble for any federal or state regulation of data or information.”

The full Supreme Court decision is here, and a previous blog post — in which Kevin makes clear that he serves as counsel on the case to doctors’ groups — is here.

More from Kevin’s analysis: Continue reading

WSJ: Firms Reap Profits Secretly ‘Scraping’ Patients’ Personal Data, an online community for chronically ill people to share personal information (and a business that also sells information about its users) is the victim of the latest form of privacy-violation-for-profit: a practice known as “scraping,” according to a great story today in The Wall Street Journal.

Julia Angwin and Steve Stecklow, my former colleagues at the WSJ (which is clearly going for a Pulitzer Prize with its series, “What They Know,” about the many ways your “private” online information is being sold and tracked) begin today’s story like this:

At 1 a.m. on May 7, the website noticed suspicious activity on its “Mood” discussion board. There, people exchange highly personal stories about their emotional disorders, ranging from bipolar disease to a desire to cut themselves.

It was a break-in. A new member of the site, using sophisticated software, was “scraping,” or copying, every single message off PatientsLikeMe’s private online forums.

PatientsLikeMe managed to block and identify the intruder: Nielsen Co., the privately held New York media-research firm. Nielsen monitors online “buzz” for clients, including major drug makers, which buy data gleaned from the Web to get insight from consumers about their products, Nielsen says.

“I felt totally violated,” says Bilal Ahmed, a 33-year-old resident of Sydney, Australia, who used PatientsLikeMe to connect with other people suffering from depression. He used a pseudonym on the message boards, but his PatientsLikeMe profile linked to his blog, which contains his real name.

After PatientsLikeMe told users about the break-in, Mr. Ahmed deleted all his posts, plus a list of drugs he uses. “It was very disturbing to know that your information is being sold,” he says. Nielsen says it no longer scrapes sites requiring an individual account for access, unless it has permission.

Cambridge-based PatientsLikeMe confirmed that after the scraping, which occurred primarily in the “Mood” community, about 200 people withdrew. Overall, the site has about 70,000 users across all communities. And while the company does sell information about its users, the patients are deidentified and the data is aggregated.

“This incident could certainly be considered a violation of our patients’ trust, but it has spurred an important discussion within industry about how to put patients first,” says Jamie Heywood, Co-founder and Chairman of PatientsLikeMe. “It’s also clear that it has not broken the spirit or social contract of PatientsLikeMe when it comes to sharing and learning. The vast majority of members on our site have stayed with us through all of this and perhaps come out even stronger in their commitment in understanding the value of being open.”

Daily Rounds: Sick Residents At Work; Lifetime Benefit Caps; TB Privacy; Dartmouth Teaches Delivery

Observations: Majority of medical residents have worked while sick “Residents may work when sick for several reasons, including misplaced dedication, lack of an adequate coverage system or fear of letting down teammates,” the authors of the new analysis wrote. The results were published online in a research letter September 14 in JAMA, Journal of the American Medical Association.” (

Health Overhaul Brings Ban On Lifetime Benefit Caps: Shots – Health News Blog “Starting late next week, new health plans or plans that are renewed, won’t be able to cap the dollar amount of benefits they cover. No more yearly caps either, though those limits will be phased out over three years, disappearing entirely in 2014.” (NPR) – TB Patient Tries to Revive Privacy Lawsuit Against Centers for Disease Control “A lawyer for Andrew H. Speaker, who made headlines in 2007 when he took a trans-Atlantic commercial flight while infected with a rare strain of tuberculosis, on Tuesday appeared before a federal appeals court panel in a bid to revive his lawsuit against the Centers for Disease Control and Prevention.” (

New college program zeroes in on health costs – The Boston Globe “The 18-month master’s program is intended mainly for mid-career professionals — generally hospital and clinic administrators, health care consultants, medical educators, or managers from health-related industries. [Dartmouth President Jim Yong] Kim, who announced the program in Boston last month, said he hopes Dartmouth’s effort will spark a new profession of health care delivery experts whose aim will be to make medical care simultaneously less costly and more effective. (Boston Globe)