If a US-based employee disclosed confidential patient data in a back-pay dispute, they’d be in big trouble, whether or not they had a valid pay gripe. But the long arm of US law doesn’t extend so easily to Pakistan, where this incident happened, or plenty of other overseas destinations for medical transcription outsourcing.
As a chain is only as strong as its weakest link, a privacy or confidentiality regime protecting data is only as strong as the flimsiest, most disclosure-prone access to the data. In this case, an underpaid and mistreated (or wily and greedy, depending on who you believe) person not accountable to US law provides an extremely weak link in the medical privacy chain.
I’ve idly wondered if working as a custodian at a software company can get you a lucrative sideline as a pirate software distributor — bring a FireWire DVD burner to work with you and take home some goodies. There are a lot of people in the “chain of data” that are sometimes just looked at as furniture by the “professionals” who are “really” working with the data. In the UCSF case, doctors record gobs of dictation and then, a little while later, it shows up all typed out. Do they care if it took a trip around the world in the process?* Software developers go to work every day and find the floor vacuumed.** Are they concerned about who cleaned up and restocked the kitchen with Jolt? Who changes the lightbulbs in Experian’s data center? Lots of juicy data there.
Once we realize all of the people that really do have access to very sensitive data, we can treat them appropriately (and scrutinize them properly before such access is granted).
* Many doctors may in fact care, I don’t mean to categorically malign them. Multiply subcontracting administrators seem to have been the problem in the UCSF case.
** I realize it is likely that some developers are familiar with the custodial folks since the developers are cranking away when the custodians show up at midnight.
What are the weak spots in the data chain that you worry about?