Blog

According to an AP story over the weekend, the medical records of some 300,000 Californians who had applied for California workers’ compensation benefits were discovered to be unwittingly left exposed on a publicly accessible web site.

Apparently, the information was placed on an internal web site by Southern California Medical-Legal Consultants, a California company that represents medical providers in the recovery of billing from workers’ compensation insurance carriers. The AP story stated that the information, which included people’s names and social security numbers as well as details about their medical condition, was not encrypted, didn’t require a password for it to be accessed, nor were search engines kept from indexing the web pages where the information resided.

Since the company thought the information could only be accessed by its employees and it wasn’t linked to any of the company’s public web site pages, no one thought much about it. That was until, as described in a company press release dated the 12th of June:

“The company was notified of the possible breach by a data security firm that discovered some of the files using a sophisticated, automated search of Google indexes.”

However, the person at the above mentioned data security firm – Aaron Titus of Identity Finder – told the AP that what he did was not very sophisticated at all, and that the information was:

“… available to anyone in the world with half a brain and access to Google.”

Mr. Titus also likened the breach to a “… case of felony stupidity.”

Ouch.

The basic issue raised in the AP story is that the IT security knowledge/skills of many organizations involved in the capture, storage, analysis and/or communication of electronic medical information has not generally kept up with the evolving security threat, and the situation doesn’t look like it is going to get any better any time soon. As a New York Times article in May noted, the “personal medical records of at least 7.8 million people have been improperly exposed” over the past two years.

The Times article noted that inspector general of the Department of Health and Human Services “… had found dozens of vulnerabilities in systems to protect records of patients at seven large hospitals in New York, California, Illinois, Texas, Massachusetts, Georgia and Missouri. Auditors cited such problems as personal information that was not encrypted and was stored on computers that could be easily used by unauthorized users.”

That “improperly exposed” number is expected to rise – possibly significantly – as electronic medical records become more widely used across the US. A recurring question has been whether the 165,000 or so small physician offices in the US that have fewer than 10 employees including the doctor(s) will be able to internally acquire or pay for the IT security skills needed to keep their electronic medical record systems safe, not only now but also against future threats. Given, as the Times article indicates, that hospitals with far more IT resources are having a hard time with IT security, the answer doesn’t look promising.

Security questions are also being raised about Australia’s proposed AU$466 million national electronic health record system. According to a story over the weekend in The Australian, nearly half of Australians may end up “boycotting the voluntary system when it launches in July next year amid concerns the government may find it impossible to guarantee private medical details remain private.”

Supporters of the new national EHR system are confident that it will indeed adequately protect a patient’s medical information, but also agree that the Australian government has to become more active in convincing citizens of that fact. How can this be done?

According to The Australian story, just remind people, says Melbourne GP Mukesh Haikerwal, who heads the Clinical Leadership team for the National E-Health Transition Authority and is Chair of the World Medical Association, that the new system:

“… is much safer than having a fax hanging around the GP surgery that’s just come from the clap clinic.”

Does that happen a lot in GP surgeries in Australia?

Of course, inadvertent data breaches aren’t confined to the medical arena either. Just a week ago, Yale University announced that personal information including the names and Social Security numbers of 43,000 people who mostly worked for Yale in 1999 were accessible via Google search for the past 10 months.

As described in a Yale Daily News article from last week,

“The information was stored on a file transfer protocol (FTP) server used primarily for open source materials… In September 2010, Google modified its search engine to be capable of finding and indexing FTP servers… but ITS [Information Technology Services] was not aware of this change. … since discovering that the file was accessible, ITS has confirmed that other search engines, such as Yahoo!, do not index FTP servers.”

I don’t know whether Mr. Titus would describe Yale’s case as one of “felony stupidity” too, but it does point out that personal data can be exposed in many, ever-changing ways even experienced IT organizations may not fully be aware of.

Photo: iStockphoto

August 17, 2011 —

Contractor Patrick Murtagh estimates that there are hundreds of construction employees who work off the books every season in Sullivan County.

Murtagh paid a visit to the Sullivan County Legislature on August 4, and listed various reasons that employment laws should be enforced. Murtagh, who has three year-round employees, pays their workers’ compensation, half of their social security, Medicare, unemployment insurance and New York State Disability Insurance. His employees pay federal and state taxes, social security and Medicare.

Contractors who don’t pay these various state and federal costs can charge lower rates for work, and make it hard for the contractors who do work by the rules to survive.

There was a suggestion that the county could set up a registry where contractors who provide proof that they carry all the necessary coverage could be included, thus the public would know which contractors are abiding by NYS employment rules.

Legislator Alan Sorensen said he thought the idea of a countywide registry was a good one. He said, “If there are that many people not paying into the system, it’s that much more of a burden on the rest of us.”

County chairman Jonathan Rouis, however, said that perhaps the Sullivan County Chamber of Commerce or some other business group would better handle a registry. He said, “The issue for the county is manpower.”

A group of contractors was formed three years ago to examine the issue. Because of numerous consumer complaints about unscrupulous contractors, then district attorney Steve Lungen called for the licensing of all contractors in Sullivan County. The chamber responded by setting up a Contractors Initiative Board (CIB) made up of 23 contractors, including electricians, plumbers and builders, and including such well-known companies as Mountain Construction, Werlau Construction and Catskill Farms.

Murtagh’s position is that enforcement of the state laws should begin with the code enforcement officers (CEO) or building inspectors of the various towns and villages in the county, because for most construction work, such as new buildings or expansions or decks, a permit is required. By state law, permits are not supposed to be issued unless the contractor supplies either a workers’ compensation certificate, a letter of exemption or documents showing the work is being done by the homeowner.

Murtagh told the lawmakers that according to the results of Freedom of Information Law requests in a couple of municipalities, 66% of permits were issued without any of the three types of documentation. And among contractors who do supply documents, according to various sources, the letters of exemption—which are intended to go only to people working alone, with no employees and no subcontractors—are being widely abused. There are reportedly many instances of people using letters of exemption to get permits to build a house and, as a general rule, no one today builds a house all by himself or herself.

In exchanges with the CIB, code enforcement officers said that they did not have the time or the resources to enforce the various state laws. Neil Gilberg, who was formerly the Sullivan County Clerk and who is now a business advocate with the NYS Workers’ Compensation Board, created a pilot program whereby if a CEO suspects that a contractor is operating without workers’ compensation, the CEO can call or email officials in Albany or Binghamton, who will respond by sending someone to investigate, or perhaps by getting a local law enforcement official to investigate.

However, not everyone agrees that the CEOs should be put in a position of having to enforce the law. Suggesting that CEOs should be reluctant to issue permits based on exemption letters by contractors who claim to have no employees is reasonable, said Catskill Farms builder Charles Petersheim, but, he added, “giving them police powers? It just seems really hard to believe that it could work.”

According to various sources, the prevailing view among CEOs is that enforcing the relevant state laws is not their responsibility.

For homeowners, there is a question of compensation. If, for example, an employee without workers’ compensation were to fall off a roof, the employer is responsible for the hospital bills. But, if the employer doesn’t have enough money to cover it, the worker may go after the homeowner.

Residents can determine whether a contractor is covered by workers’ compensation by going to www.wcb.state.ny.us and clicking on Insurance Carriers, and then clicking on “Does Employer Have Coverage,” and following the prompts.

An analysis of the state’s insolvent workers’ compensation trusts shows that a deficit thought last summer to be $600 million is now nearly $1 billion.

 

A 10-page report by the state Workers’ Compensation Board, required by Gov. Andrew Cuomo’s budget legislation, puts the workers’ compensation deficit at $924.6 million. The totals are based on the funds’ latest audited financial statements.

 

The June 30 report attributes the increase to previously uncounted workers’ compensation obligations, as well as the addition of two newly insolvent trusts, bringing the total to 17.

 

Hundreds of small employers paid into the trusts to provide for workers injured on the job. But the funds were mismanaged or, as the state alleges, defrauded by Poughkeepsie-based Compensation Risk Managers, which controlled most of them.

 

The state sued CRM for $405 million, but a proposed settlement would yield only $41 million. State appellate courts, meanwhile, have upheld the board’s authority to force employers who paid into solvent trusts to cover the deficit of the insolvent funds. The employers are appealing.

 

That has left the insolvent trusts’ members, like Mark Teich, president of M&T Plumbing & Heating Co. near Union Square, on the hook.

 

“I paid a premium to cover my company and now they’re coming back and saying [employers] owe $925 million,” he said. “It’s insane.”

 

The final debt to the state is likely to be less than that because of a law crafted by the Cuomo administration to deal with the problem, which it inherited.

 

Foreseeing a political maelstrom, the governor assigned Deputy Secretary Alphonso David, who oversees labor issues, to work with the employers’ attorneys to clean up the mess. The law requires the board to give semiannual updates on the size of the deficit. The first update was June 30.

 

The new law also allows the insolvent trusts to reduce by 20% the amount of money they owe—but only if they agree to pay the remaining 80%. That measure is supposed take effect by the end of the year and is expected to reduce the shortfall, a Cuomo administration official said.

Travelers Offers Strategies to Mitigate Workplace Injuries

HARTFORD, Conn.–(BUSINESS WIRE)– From June through September, workers compensation claims at small businesses are at their peak, according to an analysis of Travelers’ claims data. Lower back strains and other back-related injuries and injuries from slips, trips and falls are the most common, and workers under 30 years old comprise almost one third of those sustaining on-the-job injuries.

“This year marks the 100^th anniversary of workers compensation insurance and Travelers continues to help business owners keep employees safe and healthy by encouraging them to adopt key risk management techniques,” said Marc Schmittlein, President and Chief Executive Officer, Travelers Small Commercial. “By taking even small steps, businesses can enhance employee health and manage the costs associated with workers’ injuries.”

Travelers Risk Control professionals recommend the following risk management tips to help business owners:

• Sound Hiring Practices – Summer is a particularly high traffic time for many businesses and hiring new full- and part-time employees is a common way business owners meet the increased demand. Businesses need to evaluate current hiring practices when recruiting new employees, especially considering that, on average, employees in their first year on the job have a higher incidence of injuries than those with more tenure. Making workplace safety part of the screening process is therefore paramount. Employers should inquire about a prospective employee’s attitude toward safety issues during the hiring process.
• Orientation and Training – Regardless of the background or experience of an employee, it is critical that business owners orient and train all employees in safe work practices and procedures. Safety training of any sort should include: a focus on emergency procedures; a review of safe work practices; a reminder about required personal protective equipment; and a review of employee protocol should an accident occur. The formality of the training will vary based on the complexity of the task.
• Active Supervision – Promoting safe work practices through active supervision is a key component of mitigating workers compensation risks. Reinforcing the fact that the safety practices and procedures in place will protect employees is an important responsibility for all small business owners. Remembering to keep feedback upbeat and positive also promotes a productive and safe environment.
• Accident Response – Business owners need to ensure that employees understand that there is a process in place in the event they do get injured on the job. This process allows employees to get the necessary care and attention they need in a prompt fashion from a qualified physician. Doing so will help expedite employees’ recovery and minimize the impact an injury has on their family and work life, which ultimately benefits business owners.

Schmittlein continued, “Employees are a small business’s most important resource. With the proper risk management and workers compensation coverage, small business owners can help ensure that employees who sustain an injury while working are able to get the proper medical attention they need, getting them back to work faster.”

Watch it! Summer is peak season for workers’ compensation claims at small businesses, and those aged 30 and under are most prone to injury, Travelers Cos. Inc. says.

From June through September, workers’ compensation claims at small businesses are at their peak, the the New York property-casualty insurer with Hartford operations says, citing an analysis of its claims data.

Lower back strains and other back-related injuries and injuries from slips, trips and falls are the most common, and workers under 30 years old comprise almost one third of those sustaining on-the-job injuries, the insurer said.

Workers compensation is an insurance that business owners provide to employees that pays for medical care and physical rehabilitation of injured workers and helps to replace lost wages while they are unable to work.

Noting the 100^th anniversary of workers’ comp insurance, Travelers says there are some things businesses can do to minimize on-the-job injuries and claims:

Sound hiring practices — Make workplace safety part of the screening process. Employers should inquire about a prospective employee’s attitude toward safety issues during the hiring process.

Orientation and training – Safety training of any sort should include: a focus on emergency procedures; a review of safe work practices; a reminder about required personal protective equipment; and a review of employee protocol should an accident occur.

Active Supervision – Promoting safe work practices through active supervision is a key to curbing workers compensation risks. Reinforcing the fact that the safety practices and procedures in place will protect employees is an important responsibility for all small business owners.

Accident Response – Business owners need to ensure that employees understand that there is a process in place in the event they do get injured on the job. This process allows employees to get the necessary care and attention they need in a prompt fashion from a qualified physician.