By Thomas Claburn
Sep 5, 2006
Over 40% of federal health insurance contractors and state Medicaid
agencies reported experiencing a privacy breach involving personal
health information in the past two years, according to a Government
Accounting Office (GAO) report  released on Tuesday.
The contractors and agencies collectively have access to medical data
covering more than 100 million Americans, the report says.
"That's a shocking finding," says Beth Givens, director of Privacy
Rights Clearinghouse , a non-profit consumer advocacy group. "It's
not only the number of breaches but the sensitivity of the information
The GAO report, "Domestic and Offshore Outsourcing of Personal
Information in Medicare, Medicaid, and TRICARE," examines the role that
private firms, federal agencies, and state Medicaid agencies play in
administering three of the nation's largest public health insurance
programsMedicare, Medicaid, and the Department of Defense's TRICARE
Beyond noting the pervasiveness of privacy breaches, the report finds
that the outsourcing of services involving personal health information
is also common. Over 90% of Medicare contractors and state Medicaid
agencies and 63% of TRICARE contractors reported some domestic
outsourcing in 2005, typically involving anywhere from 3 to 20 U.S.
While relatively few organizations sent personal health information
offshore33 Medicare Advantage contractors, 2 Medicare fee-for-service
(FFS) contractors, and 1 Medicaid agency said their domestic vendors had
transferred personal health information offshorethe GAO believes the
extent of offshore outsourcing may be underestimated "because many of
the federal contractors and agencies did not know whether their domestic
vendors transferred personal health information to other locations or
Givens says the report indicates that there's not enough security for
healthcare records. "These findings certainly don't inspire much
confidence that sensitive personal information is being adequately
protected," she says.
The GAO recommends that the privacy breach notification requirements
that currently apply to TRICARE and Medicare FFS contractors should be
extended to other Medicare contractors that deal with personal health
information and to state Medicaid agencies.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/