Extortion threat to patients' records

I wonder if this has happened in the US as well?---BBB

Extortion threat to patients' records
Clients not informed of India staff's breach
David Lazarus
Friday, April 2, 2004
©2004 San Francisco Chronicle | Feedback | FAQ

URL: sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/04/02/MNGI75VIEB1.DTL

An Ohio company that outsources U.S. medical files to India, including patient records from several California hospitals, was the victim of an extortion attempt in October by its own workers in Bangalore, who threatened to reveal confidential materials unless they received a cash payoff.

The security breach was alarmingly similar to a threat received by UCSF Medical Center just three weeks earlier from a Pakistani woman who was transcribing the Bay Area hospital's files.

Yet Steven Mandell, head of Toledo's Heartland Information Services, failed to mention the extortion incident when he was summoned last month by anxious California lawmakers to testify on steps his industry is taking to safeguard outsourced information.

"He lied to us," said an angry state Sen. Liz Figueroa, D-Fremont, who chaired the March 9 privacy hearing in Sacramento. "He could have said they had a situation just a few months earlier, and he didn't."

Mandell said by phone Thursday that no patient files were ever in danger of being released and that the workers who made the threat were identified and handed over to Indian authorities within 24 hours.

"No one asked me about it" at the hearing, he said. "If anyone had asked me, I would have been more than willing to discuss it."

Mandell acknowledged, though, that there was no reason lawmakers would have thought to bring up the subject. He said Heartland kept the incident to itself and did not even inform clients about what had happened.

Mandell flew to California last month at the request of the Medical Transcription Industry Alliance, a trade group, which had been asked by Figueroa to provide an industry leader who could address the subject of protecting U.S. patients' data overseas.

"Heartland Information Services is very serious about maintaining its commitment to keeping patient information private," he said in his testimony. "Patient data is one of the most valuable assets a health care organization possesses, and it deserves the utmost protection."

But according to an internal memo issued to Heartland employees on Nov. 6 and obtained recently by The Chronicle, the company was the victim of an extortion attempt last fall by two workers at its Bangalore site.

"Through an anonymous e-mail, they threatened to release confidential patient records to the public if certain demands were not met in a specified time frame," Tracy Boesch, Heartland's chief operating officer, wrote in the memo.

She did not specify the demands made by the Bangalore workers, except to say that they "attempted to extort certain concessions from the company."

Heartland handles transcription of doctors' dictated notes for dozens of U.S. hospitals, including Riverside Community Hospital in Southern California. The company is a subsidiary of HCR ManorCare, a leading operator of nursing homes.

Mandell said Thursday that Heartland took the threat very seriously as soon as the workers' e-mail was received at the Toledo headquarters shortly after 10 a.m. on Oct. 28. He said company officials in Ohio and India quickly mobilized to track down the senders.

Within hours, Mandell said, it was learned that a manager's office in Bangalore had been broken into. He insisted that no patient information was stolen, only training documents containing details of medical procedures.

Heartland then traced the e-mail to a local Internet cafe and determined which employees lived nearby.

"We managed to identify the employees, and they confessed," Mandell said. "We recovered the documents, and the employees were arrested by the Indian police. They were locked up in jail for three days and are now out awaiting trial."

He said one of the workers told authorities that he wanted an unspecified sum of money, "and the other said he didn't like who we appointed as managers."

Mandell said he felt he was under no obligation to inform clients about the episode.

"Why?" he asked. "No patient information was ever at risk. It was nothing more than disgruntled employees. This shows that the system works."

Mandell added that because the Bangalore workers possessed stolen training documents but not actual medical records, their threat was unlike the threat UCSF received from the Pakistani transcriptionist, who said she would release the hospital's files online unless she was paid money she believes she was owed.

The transcriptionist, Lubna Baloch, included actual patient files with her e-mail. She withdrew her threat after receiving funds from another transcriptionist in the chain of subcontractors who handled UCSF's records.

Privacy advocates, however, say that the threats from disgruntled workers in Karachi and Bangalore show that the potential danger to outsourced data may be greater than most people realize.

"This may be just the tip of the iceberg," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego advocacy group. "There could be many, many more such incidents that we just don't know about."

Sen. Figueroa said she would have wanted to know at last month's hearing about the theft of internal documents and the threat against Heartland. "It certainly seems relevant to what we were discussing," she said.

But Mandell said his goal was to "explain why I have the most secure system in the world. And that's what I did."