SWEDISH HOSPITAL PLACES PATIENTS AT CONTINUING RISK WITH INADEQUATE SAFEGARDS FOLLOWING DATA BREACH

1. Swedish Hospital in Seattle reported that an employee took names, birthdates, and social security numbers from files at the hospital for at least three patients. The stolen identities were used to apply for false credit and to purchase items at Wall Mart, Zales, and Banana Republic.
   
   The employee was a support services worker. Although the hospital is notifying over 1,100 patients of the personal information security breach, a spokesman said that only three patients were compromised. Free credit reporting was offered to all affected.
   
   What’s wrong with this picture?
   
   Swedish Hospital’s continues to use badly flawed systems and processes as well as offering an entirely misleading and ineffective free "credit monitoring" service.

Management at the hospital needs to address the following critical items:

-- Are background checks, including criminal checks, performed on all employees, subcontractors, or others who may have access to data?

-- How are service workers to be restricted from accessing data in the future?

-- How can the hospital be certain that only three of 1,100 exposed patients were the only ones affected?

-- Why are social security number still used as identifiers for patients?

And the most important issue:

-- Why is Swedish Hospital offering useless “credit monitoring” services to "at risk patients", rather than providing effective and meaningful protection? We have written often about the ineffective nature of “credit monitoring”, but we suspect that few "at risk patients" realize that credit monitoring systems will notify them of credit breaches long after the breach has occurred, and usually after they have been contacted by creditors demanding payment.

Most importantly, credit monitoring is useless is providing meaningful protection against the preponderance of identity theft crimes using social security numbers such as employment fraud, tax fraud, medical benefits fraud, driver’s license fraud, and over 80 other crimes of fraud using social security numbers.

Swedish Hospital has failed its patients twice – first in not providing adequate safeguards against this horrendous crime, and secondly in offering useless remediation to the criminal act.