Renown Health -
Renown For What?
I have been going to Renown Health in
I wish they didn’t.
In August 2019 I received a letter from them saying:
On June 30, 2019, an employee reported that a thumb drive containing patient information went missing that same day. We immediately began an investigation, interviewed the employee, and conducted a thorough search for the thumb drive, but were unable to locate it. Our investigation determined that some of your information was contained on the thumb drive, which may have included your name, medical record number, diagnosis and some clinical information, date of admission, and physician's name. Your Social Security number and financial information were not contained on the thumb drive.
Then they said:
We have no indication that your information was misused. However, in an abundance of caution, we wanted to advise you of the incident and assure you that we take it very seriously. We recommend that you view the statements you receive from your healthcare providers. If you see services that you did not receive, please notify the healthcare provider immediately
Problem solved, right?
This is the letter: PDF
I converted it to html to make it computer readable: html
They provided a phone number to call if I had questions
about the incident.
Did I have questions about the
incident?
You bet I did, so I called the
number: 1-833-762-0223 .
Did the number go to Melinda
Montoya, BSN, JD, CPC, CHC, CHPC whose title is Chief Compliance Officer and in
whose name the letter was sent?
No, it went to someone else who
did not know the answers to any of my questions. She did not know anything
other than what was in the letter.
She admitted that she was not a Renown employee. She said she worked for a company that did PR for companies that had had data breaches. I don’t think she told me the name of her company. I called the number again today. It is answered as Renown Health Incident Response Line. I think that is fraud.
Back to August. I called Renown’s main number and asked to speak with Ms. Montoya. Amazingly, I was transferred to her. And got her voice mail (of course).
I didn’t expect her to call me back so I called Medicare to tell them about the data breach because it could result in a great deal of Medicare fraud. They had the same advice that Renown gave, that I carefully review my statements from them. I told them that their statements are basically incomprehensible and if I did question a charge and called them I would get an incomprehensible answer. I am going from experience here. Medicare said they can’t help me with that.
So I filed a HIPPA Complaint with The Department of Health and Human Services: https://www.hhs.gov/hipaa/filing-a-complaint/index.html .
A few hours later Ms. Montoya actually called me. I was amazed. Now I could ask her my questions. I was even more amazed by her answers.
First, the term “thumb drive” means a “
Me: Why were my
medical records stored on a
Ms. Montoya: To
archive the medical records.
What???
I explained to her that Flash memory (used in USB Flash Drives, SD Flash Cards, Solid State Drives, etc) is built on top of an old memory technology first used in EPROMs (Electrically Programmable Read Only Memory). The data is stored as electric charges in an oxide layer.
The oxide layer is a very good insulator so the charges stay trapped there, but not forever. Eventually they leak away. The bits don’t all leak away at once because of the design and from process variations across the chip when it was fabricated. When the bits do start to be affected the technical term is “Bit Rot”.
As a result, DO NOT USE FLASH MEMORY TO ARCHIVE DATA.
Extra for this article:
Generally, with no charges it is a data ‘1’. When there are charges it is a data ‘0’ so an unprogrammed (blank) EPROM is all ‘1s’. To erase it you expose it to ultraviolet light. That is why there is a window in the part. Later, the semiconductor companies made it so it could be erased electrically. But all modern flash memory is based on storing electric charges in an oxide layer. I wrote about this years ago at: www.jmargolin.com/patents/eprom.htm .
In the 1980s the EPROM manufacturers would give their best guess how long the data would stay good. It was generally 15-20 years depending on the temperature profile that the memory has gone through. (Cold Good, Hot Bad). Some of the coin-op games I worked on at Atari (BattleZone, Star Wars, Hard Drivin’, Race Drivin’, etc) are still working with EPROMs programmed 35 years ago. I advise people to pull them from the game and read them with one of the very nice cheap modern Programmers so they can reprogram the EPROMs when Bit Rot sets in.
Most people don’t know about Bit Rot anymore. And BTW flash memory is also used in microcontrollers which are single chip microprocessors with the processor, memory, and peripherals all on one chip. Microcontrollers are used everywhere, such as in ovens, toasters, washing machines, furnaces, DVD players, TVs, etc. Eventually they will all experience Bit Rot and stop working. A few years ago I contacted Microchip Technology and asked about the data retention for one of their microcontrollers. They had one of their engineers respond who gave me a few pages of test results for a batch of one of their microcontrollers. There was nothing about data retention in it. I don’t think he knew what I was talking about.
When Bit Rot sets in (years from now) I doubt that anyone will still have the code or the equipment to reprogram the devices. People won’t even know why the device stopped working.
When I told Ms. Montoya that Flash Memory should never be used to archive data (and give her the simple explanation why) she said she didn’t know that but would ask her IT people. I’ll bet they don’t know that either.
Next Questions
Me: Were my doctors’ notes on the thumb drive?
Ms. Montoya: No, they
were not.
Me: Why was the data on the thumb drive not
encrypted?
Ms. Montoya: I don’t
know.
Do I believe her?
No, I don’t. Here’s why.
1. Using USB Flash Drives to store data is more expensive than using a USB Hard Drive.
An ADATA 128 GByte USB Flash Drive from Newegg costs about $15: https://www.newegg.com/adata-model-auv330-128g-rbk-128gb/p/N82E16820215195
That is about $0.12.GByte.
A Western Digital 1 Terabyte USB Hard Drive costs about $50: https://www.newegg.com/model-wdbuzg0010bbk-wesn-1tb/p/1E8-0006-00100
One Terabyte is 1000 GBytes so it is about $0.05/GByte.
2. A 1 Terabyte USB Hard drive stores the equivalent of (8) x 128GByte Flash Drives and there is the problem of labeling and storing the USB Flash Drives. (It is easy to put a label on a USB Hard Drive.)
3. USB Flash Drives are how you get files out of a facility without being detected, as you would be if you used the facility’s network.
4. The Doctors’ Notes are an important part of your medical records. Why would they Not be kept with your medical records?
I told Ms. Montoya that their solution (that I review my medical statements) was unsatisfactory for the same reason I gave Medicare. (Incomprehensible statements and incomprehensible explanations when I call them.)
I told her that if Renown was really sorry that they had compromised all of my medical records they should give me a copy of my medical records (including imaging) for free and give them to me in one place instead of making me go all around Reno to the different places that Renown has them.
She said she couldn’t do that but that she would walk me through all the steps for me to get my records.
I told her that was not acceptable.
I wanted them free and from one place.
We went around that a few times. Then she said she would have someone contact me to arrange it.
Did someone from Renown contact me so I could get my medical records for free and from one place?
NO! they did not.
I received a letter from HHS yesterday, dated 8 October 2019. Here it is: PDF html
It seems that I was not the only one to file a complaint with them against Renown.
Would I believe Renown if they now came out and said, “We
found the
Nope.
I hope HHS wouldn’t believe them either,
What does this mean for you?
Should you really tell your doctor things that you want to be in confidence, knowing that his/her notes could be so easily compromised?
And can you get the medical care you need if you don’t?
Jed Margolin
October 12, 2019.