WASHINGTON Electronic medical records, which the Obama administration would like to see widely used, are rarely encrypted so a data breach could be triggered by the simple theft of a laptop or misplaced thumb drive, a privacy expert told lawmakers on Wednesday.
Regulations require healthcare providers to report data breaches unless the data lost had been encrypted.
"We know from the statistics on breaches that have occurred since the notification provisions went into effect in 2009 that the healthcare industry appears to be rarely encrypting data," according to written testimony by Deven McGraw, of the Center for Democracy and Technology.
"Doesn't that cry out for data breach protections?" asked Senator Richard Blumenthal at the hearing of Senate Judiciary Committee's panel on privacy, technology and the law.
In addition to information about illnesses, electronic medical records contain patients' dates of birth and Social Security numbers and other data that are gold to identity thieves.
Senator Tom Coburn, himself a physician, urged caution in the wholesale adoption of electronic records, saying he feared hackers could break into a records database.
"Maybe we ought to rethink some of what we're doing," he said.
Senator Al Franken, chair of the panel, said he was contemplating legislation to encourage encryption, as well as extending privacy protection requirements beyond healthcare providers, perhaps to online medical record providers.
"The bottom line is that people have a right to privacy and to know that their data is safe and secure, and right now that right is not a reality," Franken said after the hearing.
(Reporting by Diane Bartz; editing by Andre Grenon)