Millions of Electronic Medical Records Breached

This story first appeared in the Orange County Register and the Los Angeles Register.

Thieves, hackers and careless workers have breached the medical privacy of nearly 32 million Americans, including 4.6 million Californians, since 2009.

Those numbers, taken from new U.S. Health & Human Services Department data, underscore a vulnerability of electronic health records.

These records are more detailed than most consumer credit or banking files and could open the door to widespread identity theft, fraud, or worse.

Consider the case of Tustin-based GMR Transcription Services Inc. The Federal Trade Commission alleges that in 2011 a GMR subcontractor put transcribed medical audio files on a computer server that was then indexed by Google.

The files contained patients’ medical histories, including psychiatric disorders, alcohol use and drug abuse. GMR settled the FTC lawsuit in January. In a statement after the settlement, GMR said the files were no longer searchable and that it was exiting the medical transcription business.

Despite ever-tighter federal regulations, “we recognize that sometimes security is still compromised,” said Dr. Jacob Reider, HHS’ deputy national coordinator for information technology.

The government is trying to combat potential privacy breaches with a carrot-and-stick approach. It’s offering early adapters of electronic health records advice, an online security assessment tool, even a “cybersecure” computer game to help them learn.

But it’s also threatening, and in rare cases imposing, big fines on insurers, hospitals or doctors that lose control of records.

In May, HHS levied a record $4.8 million penalty against New York-Presbyterian Hospital and its partner, Columbia University. The grounds: In September 2010 some 6,800 patients’ records were accidentally exposed to Internet search engines.

That incident is one of 1,045 cases listed on HHS’ so-called “wall of shame,” a website mandated by the 2009 stimulus act that lists every health privacy breach affecting at least 500 individuals.

Individual cases highlight just how weakly protected many medical records are: Hundreds of thousands, even millions of records are typically kept on a single computer. Those records, usually protected by a password, are often not encrypted. That makes them readable by anyone who can crack the password.

“There are some healthcare providers who are not going to have any problem” safeguarding electronic health records, said Pam Dixon, executive director of the World Privacy Forum in San Diego. “There are other health care providers who are just like a sieve.”

The government does “provide good guidance,” said Justin Brookman, consumer privacy director at the Center for Democracy & Technology, a Washington, D.C., nonprofit that promotes online privacy. “But most of the breaches we’ve seen have been people not following” that guidance.

There is “a 1 percent chance of very bad things happening,” Brookman added. “It is foreseeable or should be foreseeable.”

Other examples:

  • Sometime between Feb. 14 and March 27, 2014, computer “malware” captured information from three computers at the UC Irvine Student Health Center and fed data involving 1,813 students – including names, addresses, insurance and bank information, as well as medical information – to unauthorized servers. UCI is upgrading its security.
  • In October 2013, someone broke into a sixth-floor office in Alhambra and stole two laptops. The laptops contained information for 729,000 patients of AHMC Healthcare, which runs Anaheim Regional Medical Center and five hospitals in Los Angeles County. The computers contained patients’ names, Medicare and insurance identification numbers, diagnosis codes and insurance payments. Spokesman Gary Hopkins said there is no evidence patient information was ever used.
  • In one of the biggest breaches in California history, an unencrypted desktop computer was stolen from the Sacramento administrative office of Sutter Medical Foundation in October 2011. The computer contained personal medical information, including diagnoses and procedures, for 943,000 patients. In response, Sutter sped up efforts to encrypt its computers.


Ron Campbell can be reached at 714-425-5169 or Deborah Schoch can be reached at 626-457-4281 or

More Stories from This Project

E-Record Push Dividing Doctors

Dr. Martin Fee, an infectious disease specialist, doesn’t miss the days of chasing medical records through the corridors of Orange County hospitals.

Hits to Medical Privacy

Since early 2009 the federal government has reported more than 1,000 cases in which private health information was put at risk, affecting nearly 32 million people.

Study: Digitized Medical Records Aid Communication Between Patient and Doctor

It took several electronic nudges before Patti Schwebel booked an appointment for an overdue mammogram. Her doctorsat Kaiser Permanente diagnosed breast cancer two years ago after the films revealed a lump.


Other Articles

Stress case: What’s behind the increased demand for mental health counseling from SoCal college students?

On February 7, author Claudia Boyd-Barrett appeared on Southern California Public Radio's Air Talk with Larry Mantle to discuss her project about...

At some schools, mental health battle includes the Bible

This article originally appeared in the Orange County Register. All kinds of colleges are dealing with unprecedented student demand for mental health...

California colleges, like USC, are in the midst of a mental health care crisis. Can help come fast enough?

This article originally appeared in the Los Angeles Daily News. “Are you actually going to kill yourself?” Sociology Professor...
  • 1 of 254

Other Audio

Ronald Campbell

Ronald Campbell analyzes health care data and costs. Before joining the Center he was a staff writer at the Orange County Register for more than 25 years. He founded the Register’s program in computer-assisted reporting. He has written extensively about the census, immigration, white-collar crime and the trade in human body parts. He has won the Gerald Loeb Award, the IRE Award and placed third in the Philip Meyer Award. He lives in Orange County, Calif. In his spare time he hikes and rock climbs.

© 2019 Center for Health Reporting