The private medical records of 4.6 million Californians have been exposed since 2009, according to U.S. Department of Health and Human Services data analyzed by the Center for Health Reporting.

Many of the breaches have already been publicized, but the continued improper release of information from a broad spectrum of sources highlights a growing problem as the government and the medical industry move more records online and into the cloud.

It is not only patients who are victims.

Blue Shield of California confirmed on Thursday that the Social Security numbers of 18,000 doctors were released when the insurance company inadvertently included them in mandatory monthly filings with California’s Department of Managed Health Care (DMHC). The release, in the late winter and spring of 2013, included doctor names, business addresses, business phone numbers and medical group names.

The mistake was discovered when various entities noticed the inappropriate information while querying public records on 10 different occasions. The letter (pdf) from the department alerting victims of their plight said the breach was discovered two months ago.

“We have no reason to believe that your personal information has been misused,” the letter assures, but they also have no reason to assume it hasn’t been. The lucky 18,000 win a one-year free membership in Experian’s ProtectMyID Alert. 

It is an all-too-familiar story of lax security, inadequate processes and dumb moves. The Center for Health Reporting wrote that 32 million people had been victimized nationwide since 2009, although, presumably, some of them may have been victimized more than once.

The top 13 breaches accounted for 64% of all the victims. Four of them were in California. Health Net Inc. racked up 1.9 million victims in January 2011. There were 943,434 victims at Sutter Medical Foundation in October 2011, 729,000 at AHMC Healthcare in October 2013 and 514,300 victims at Eisenhower Medical Center in March 2013.

The granddaddy of breaches during that period involved 4.9 million victims at Tricare Management Activity in Virginia in September 2013.

Sometimes the breach is a result of theft, like the Sutter incident when a desktop computer was stolen from the foundation’s Sacramento office. Other times hackers wreak havoc from afar. But incident reports regularly highlight dunderheaded public postings of private information by personnel, lost hard drives.

Often, the information is unencrypted. That’s a security measure strongly recommended by just about anyone serious about the problem and is often part of any mea culpa plea by companies and institutions after they have been breached.

In the case of Blue Shield’s breach, both the insurer and state agency promised to revise the practices that led to the exposure and “prevent a recurrence of this type of incident.”   

–Ken Broder  

To Learn More:

Blue Shield, State Regulators Release 18,000 California Doctors' Private Data (by Chris Rauber, San Francisco Business Times)

Blue Shield Discloses 18,000 Doctors' Social Security Numbers (by Martyn Williams, Computer World)

Incredible Tally: Millions of Californians Have Had Medical Records Breached (by Chris Rauber, San Francisco Business Times)

Millions of Electronic Medical Records Breached (by Ronald Campbell And Deborah Schoch, Center for Health Reporting)

Already-Huge L.A. County Medical Data Breach Doubles (by Ken Broder, AllGov California)