Comments Submitted to the National Committee on Vital and Health Statistics

Subcommittee on Privacy and Confidentiality

Hearing on Privacy and Health Information Technology

February 23, 2005

My name is Robin Kaigh and I am an attorney who has tracked medical privacy issues since 1996 as a concerned private citizen. Thank you for allowing the opportunity for Sue Blevins to read my comments today. My comments are as follows:

Some things in life are obviously not good ideas. Such things usually have demonstrable risks associated with them—like driving without your seatbelt, smoking in bed, leaving your wallet out where strangers can take it, throwing out in the trash sensitive personal information without taking precautions to protect against identity theft.

In the rush to embrace technology, well-intentioned federal officials and consultants are ignoring hard evidence that putting ultra-sensitive medical information into electronic format and exchanging such information between health care providers and other entities will expose sensitive medical information to being hacked into and wrongfully disseminated. The danger of wrongful access or human error resulting in wrongful dissemination has been demonstrated again and again, yet the federal government is contemplating requiring every citizen to have his medical information placed into an electronic medical record that tracks him from birth to death. In a free country, shouldn’t it be up to each American citizen whether he wants to accept such a risk of exposure of his sensitive medical information?

I have testified in front of this Committee before, stating that if electronic medical records are the wave of the future (regardless of the inherent risks involved), each citizen should be able to opt-in or opt-out of such a system.

My central premise—that private information stored electronically is wrongfully exposed again and again—continues to manifest almost daily. Just this month alone, it was reported that a confidential list of 4,500 persons with AIDS and 2,000 others who are HIV positive, most living in Florida, was inadvertently emailed to more than 800 Palm Beach county health workers. Also this month, it was reported that ChoicePoint, Inc., a company in Georgia that gathers private information on nearly everyone in the US, transmitted personal data on as many as 145,000 persons to thieves using stolen identities to create what appeared to be 50 legitimate businesses, but were found to be fake companies.

And last month, the public learned that a hacker in California was able to read Secret Service emails and files after he breached the cellular network of T-Mobile. Ironically, he did the hack-in during the Secret Services ongoing investigation targeting underground hacker organizations. This is a classic example of how vulnerable an electronic system can be: A hacker who was being targeted by the Secret Service pursued his Secret Service pursuers and breached their own [Secret Service] electronic communications.

Time and again these examples show that no electronic database system is hacker-proof or fail-safe. Therefore, with such obvious risks of improper access and dissemination and resulting invasion of privacy—each and every American citizen should be given freedom of choice whether he wants his sensitive information to be stored electronically.

In conclusion, in view of these seemingly unending and inappropriate electronic disclosures and violations, no citizen should be compelled to risk a similar disclosure of his most private and personal medical information.

Thank you for this opportunity to share my thoughts on this issue.

Robin Kaigh, Esq.
Cherry Hill, NJ
(856) 482-2560