October 22, 2003
San Francisco Chronicle / SFGate
By David Lazarus, column: Wed, Fri, Sun; television: KTVU > "Mornings on 2""Your patient records are out in the open..., so you better track that person and make him pay my dues."
A woman in Pakistan doing cut-rate clerical work for UCSF Medical Center threatened to post patients' confidential files on the Internet, unless she was paid more money. To show she was serious, the woman sent UCSF an e-mail earlier this month with actual patients' records attached.
The violation of medical privacy - apparently the first of its kind - highlights the danger of "offshoring" work that involves sensitive materials, an increasing trend among budget-conscious U.S. companies and institutions.
U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.
"This was an egregious breach", said Tomi Ryba, chief operating officer of UCSF Medical Center. "We took this very, very seriously." She stressed that the renowned San Francisco facility is not alone in facing the risk of patients' confidential information being used as leverage by unscrupulous members of the increasingly global health-care industry. "This is an issue that affects the entire industry and the entire nation", Ryba said.
Nearly all Bay Area hospitals contract with outside firms to handle at least a portion of their voluminous medical-transcription workload. Those firms in turn frequently subcontract with other companies.
In the case of the threat to release UCSF patient records online a chain of three different subcontractors was used. UCSF and its original contractor, Sausalito's Transcription Stat, say they had no knowledge that the work eventually would find its way abroad. The Pakistani woman's threat was withdrawn only, after she received hundreds of dollars from another person indirectly caught up in the extortion attempt.
The $20-billion medical-transcription business handles dictation from doctors relating to all aspects of the health care process from routine exams to surgical procedures. Patients' full medical histories often are included in transcribed reports. While it's impossible to know for sure, how much of the work is heading overseas, the American Association for Medical Transcription, an industry group estimates that about 10 percent of all U.S. medical transcription is being done abroad.
For two decades UCSF has outsourced a portion of its transcription work to Transcription Stat. Kim Kaneko, the owner of the Sausalito firm, said she maintains a network of 15 subcontractors throughout the country to handle the "hundreds of files a day" received by her office.
One of those subcontractors is a Florida woman named Sonya Newburn, whom Kaneko said she'd been using steadily for about a year and a half. Kaneko knew that Newburn herself used subcontractors, but assumed that was as far as it went. What Kaneko said she didn't know is that one of Newburn's transcribers, a Texas man named Tom Spires, had his own network of subcontractors. One of these, apparently, was a Pakistani woman named Lubna Baloch.
On Oct. 7, UCSF officials received an e-mail from Baloch, who described herself as "a medical doctor by profession". She said Spires owed her money and had cut off all communication. Baloch demanded that UCSF find Spires and remedy the situation. She wrote: "Your patient records are out in the open to be exposed, so you better track that person and make him pay my dues or otherwise I will expose all the voice files and patient records of UCSF Parnassus and Mt. Zion campuses on the Internet." Actual files containing dictation from UCSF doctors were attached to the e-mail. The files reportedly involved two patients.
"I can't believe this happened", Kaneko said. "We've been working for UC for 20 years and nothing like this has ever happened before."
The files in question were quickly traced to Newburn, the Florida woman, who typically handled about 30 UCSF files every day. An emotional Newburn said in an interview that she's as much a victim as Kaneko. "I feel violated", she said. Nevertheless, she said she's taking responsibility for what happened, even though she said she explicitly told Spires not to send any work overseas. "What he did was despicable", Newburn said.
Spires could not be reached for comment. E-mail to his company, Tutranscribe, was returned as undeliverable this week. Newburn said she contacted Spires as soon as she learned about Baloch's threat and obtained a number to reach the Pakistani transcriber at her home in Karachi. "I spoke with her", Newburn said. "She was very upset, but said she wouldn't have really released the files. So I said she had to take back the threat."
Newburn agreed to pay a portion of the money Baloch claimed she was owed - about $500 - and Baloch said she would tell UCSF that its files were safe. On Oct. 8, UCSF received a second e-mail from Baloch. "I verify that I do not have any intent to distribute/release any patient health information out and I have destroyed the said information", she wrote. "I am retracting any statements made by me earlier."
The problem, however, will not go away so easily. "We do not have any evidence that the person has destroyed the files", acknowledged UCSF's Ryba. Moreover, how can UCSF or any other medical institution prevent something like this from happening again? Should legislation be passed barring U.S. medical data from going overseas?
UCSF has reached the same conclusion. Ryba said the medical center is revising its contracts with transcription firms to require up-front notice of all subcontracting. At the same time she accepts that with a growing percentage of transcription work being exported abroad, there will always be a chance that something like this could happen again. "We'll have to live with this risk on a daily basis," Ryba said.
Webmaster's Comment:
The clause "to require up-front notice of all medical subcontracting" or to forbid it in the first place should have been included in UCSF's contracts not today, when something happens, but yesterday. If it wasn't, then those, who wrote UCSF's contract, were incompetent and should be fired on the spot or if they were outside attorneys, then they should be held financially liable in a lawsuit.
Moreover, in lack of such a clause even Sonya Newburn could not enforce what she just verbally told Spires: not so send any work overseas. That's why there's a good reason to put everything in writing! But because she didn't even think of requiring it in writing, that alone stamps her unprofessional and she should lose her license, if she has any and shouldn't get any more transcription work in the future from anybody. Also, why did she just pay a portion of what was owed, if Spires could not be caught, which was her fault, because she didn't put it in writing? She obviously decided to pay a portion only, because she thinks that the real perpetrator was Spires. But Spires wasn't bound by any legal clause, so even if caught, he would not be liable. He didn't sign he wouldn't outsource it further and words fly away. That's why the entire fault lies with Sonya Newburn. And the Pakistani lady is still doing a favor by retracting her threat, because after all, she is still owed a balance, but she voluntarily took a cut, in order to maintain those patients' privacy. So just never forget that she didn't have to compromise at all!
However, a law should also be passed against ENDLESS SUBCONTRACTING, setting a limit of ONE LEVEL only to the depth of subcontracting, because anything else leads to unfair wages and sweatshop conditions.
On the other hand, in case the contract allows subcontracting at all, it should further specify, whether subcontracting can be done abroad and if abroad is deemed okay, then the medical center should even stress in writing that it is aware that it may not have any legal recourse abroad in case of a breach.
Further point: establish legal recourse with any country sent to and if such can't be established, then pass laws that forbid sending confidential patient info to those countries that are not willing to prosecute violators.
And last, but not least: Why not just pay honestly what you owe to ensure medical privacy for your patients? The Pakistani woman was right in her situation, because she had just as little legal recourse in the U.S. and she simply didn't want to be cheated out of her hard-earned money, just because a U.S. firm/entity thought he/they could get away with not paying a subcontractor in a poorer country! So any reader reading this should care just as much about the deceived Pakistani woman, who has to feed her family and had no choice, as about the endangered medical center and patients. ALL are EQUALLY important!