Three fired for accessing records of Tucson shooting victims

January 13, 2011, 1:02 PM —

Members of U.S. President Barack Obama's entourage, including House Minority leader Rep. Nancy Pelosi, walk from the motorcade into University Medical Center for a visit with Rep. Gabrielle Giffords in Tucson, Arizona, January 12, 2011.
Photo credit: REUTERS/Jim Young

Three employees at Tucson's University Medical Center have been fired for improperly accessing the medical records of some of the victims in last Saturday's shooting spree outside an area mall that killed six people and wounded 13, including U.S. Rep. Gabrielle Gifford (D-Ariz.).

A nurse working under contract for the hospital has also been terminated by her employer, the medical center said in a brief statement on its Web site.

Many of the victims, including Giffords , are being treated at the hospital. One person, Jared Loughner, is in custody in connection with the shootings.

According to the UMC, three clinical support staff members were caught inappropriately accessing the confidential electronic medical records of some of the victims. The three were fired, "in accordance with UMC's zero tolerance policy on patient privacy violations."

So far there is no indication that any of the improperly accessed information has been released publicly, the statement said. The families of the victims whose information was breached have been notified of the incident, the hospital added. The statement itself makes no direct reference to the patients as being victims of last week's shooting. However, in a statement in the Arizona Daily Star , a hospital spokeswoman is quoted as confirming the records belonged to last Saturday's shooting victims.

UMC has implemented "sophisticated technology" to prevent and detect such improper access, the statement said.

Such incidents highlight the challenges that hospitals and other organizations face in controlling insider access to confidential data. There have been numerous similar examples in the past where hospital employees have been caught snooping on the medical records of celebrities and others in the news.

In April 2009, a Kaiser Permanente hospital located near Los Angeles fired 15 workers after they were caught inappropriately accessing the medical records of Nadya Suleman, the California mother who gave birth to octuplets and became a news sensation.

Similarly, in 2008, the medical center at the University of California disclosed that over a 13-year period, as many as 165 doctors, interns and other staff had improperly accessed data belonging to celebrity patients.

Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation, said that such breaches should not come as a surprise. "This can be expected because health IT systems are radically insecure and health organizations are simply not paying for ironclad security , much less patient control over sensitive personal health data," she said.

Other organizations have been affected by similar employee snooping as well. One of the more well-publicized incidents took place in 2008 when three employees at the U.S. Department of State were caught snooping on the passport records of then U.S. Sen. Barack Obama and several other high-profile politicians including then-Sen. Hillary Clinton and Sen. John McCain (R-Ariz.).

Security analysts believe that for every such incident that comes to light, there are many others involving less-known figures that go unreported.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about privacy in Computerworld's Privacy Topic Center.