Information on U.S. website for medical data thefts is bare-bones

The medical records of more than 18,000 patients of at least five Torrance doctors were potentially accessed by cyber-thieves on a single day in September, but this is probably the first you’re hearing of it.

Although a new federal law requiring greater disclosure of medical-data security breaches was passed a year ago, it wasn’t until recently that the Department of Health and Human Services began posting specific incidents online.

And the feds aren’t exactly being generous with details about people’s confidential medical info being hacked or going astray.

In the Sept. 27 Torrance cases, for example, were the doctors in the same office? Were they in the same building? Did they share a single computer? Did they share office staff? Or was it just a fluke that five local doctors’ offices were hit by cyber-thieves on the same day?

More to the point, were people’s Social Security numbers involved? What about billing information?

The Health and Human Services database doesn’t include this information. Nor does it identify the doctors involved.

“All we know is that there was unauthorized access involving one or more desktop computers at one or more doctors’ offices in Torrance on the same day,” said Linda Foley, co-founder of the Identity Theft Resource Center, a San Diego advocacy group.

Although individual patients affected by the breaches were presumably notified by the various doctors, details of the incidents would certainly be of interest to anyone else shopping around for a physician, or to investigators seeking patterns in security violations.

Foley has been keeping tabs on the government’s efforts to disclose information about medical data breaches. Until last week, she said, the Health and Human Services site offered no such info, even though the new law requires disclosure of hacked or lost medical data.

The Health Information Technology for Economic and Clinical Health Act includes rules for disclosure of security breaches in cases involving more than 500 patients, as well as use of medical data for marketing and patients’ electronic access to their own information.

“We’re finally getting some disclosures,” Foley said. “But what we’re seeing raises more questions than it answers.”

For example, Kaiser Permanente Medical Care Program reported that about 15,500 California patients were potentially affected by the theft of a “portable electronic device” on Dec. 1.

What kind of device? What sort of patient information was involved? What were the circumstances of the theft?

None of that is made clear in the Health and Human Services database.

Nor do we know much about the 5,900 patients potentially affected by the theft of a laptop from City of Hope in Duarte. That incident happened the same day the Torrance security breaches occurred.

Coincidence? Related? Who knows.

In the Kaiser case, a company spokeswoman said the data had been on an external storage device that was stolen from an employee’s car in Sacramento.

The employee was subsequently fired.

A City of Hope spokeswoman said the laptop in that case was also stolen from an employee’s car and contained only “limited information.”

Georgina Verdugo, director of the HHS Office for Civil Rights, which oversees privacy matters for the agency, said it’s taken this long to get breach notices online because the new law gave doctors, hospitals and others a six-month grace period before they had to start reporting wayward data.

Then there was another grace period allowing medical facilities an additional 60 days to report any cyber-trouble after an incident occurred.

Then HHS staff had to verify the reported incidents before word could be passed along to the general public.

“The main point of the law is not to put notices up on the website,” Verdugo said. “It’s to trigger a regulatory investigation.”

OK. But one problem with the seemingly endless string of security breaches involving people’s personal data -- medical and otherwise -- is a lack of accountability for those entrusted with our info.

Detailed public disclosure of such incidents provides a strong incentive for businesses and service providers to improve their security measures. It also helps the public remain well informed about how vulnerable we all are to privacy violations.

“This is certainly cause for concern,” Verdugo said of people’s medical data falling into the wrong hands. “It’s a serious act.”

Not that you could tell from the HHS website.

That free cruise

I wrote last week about an apparent scam involving a free Caribbean cruise.

The sales pitch included a variety of businesses that had no knowledge of the offer, not to mention a cruise ship that’s been sold for scrap and now lies rusting on an Indian beach.

The scheme typically involves having to give your credit card number to secure the free cruise booking.

I received a call from a “cruise coordinator” the other day congratulating me on having been awarded a free trip to the Bahamas for having completed a consumer survey. He identified himself as “Mr. Charles” and said I could look forward to three days and two nights of all-expenses-paid cruising.

I’d just need to give him a credit card number to cover $59 per person in port taxes.

What if I didn’t give the number? What if I just sent a check instead to the port authorities?

“No,” Mr. Charles replied, “you have to give us a credit card number. If you don’t, we’ll offer your free cruise to the next person on our list.”

How do I know this isn’t a scam?

Mr. Charles laughed. “If this was a scam,” he said, “the government would have closed it down.”

There.

I told Mr. Charles I’d have to think about it. He told me not to think too long -- it’d be a shame if I didn’t get my free cruise.

Actually, I’ve been resigned to that for a while now.

David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA Channel 5. Send tips or feedback to david.lazarus@latimes.com