A father walks with his son outside of Rady Children's Hospital, one of the medical providers who recently experienced a data breach. Jan. 9, 2016. Megan Wood, inewsource.
Theft of patient information is an expensive and growing problem for health care providers that range from big hospitals to small community clinics.
And while breaches affecting tens of millions of customers tend to gather all the headlines, the problem is no less serious for the more than 30,000 patients in San Diego County whose records have been compromised since 2010.
Information analyzed by inewsource shows at least five health care providers in San Diego County had patient data exposed in that time period. Most of the providers either failed to respond to repeated inewsource calls for comment or declined to be interviewed about the incidents. One directed inewsource to a written statement.
Patient records are valuable to thieves because they allow them to use and create new credit cards, file false tax returns and even commit medical fraud. The breaches can occur in a variety of ways, from relatively sophisticated online infiltration to low-tech theft of an unwatched laptop computer.
Last year alone, 261 breaches of medical data occurred in the U.S., affecting at least 500 customers and 113.2 million patients, according to records published by the U.S. Office for Civil Rights.
Not all of those breaches were large: The average incident in California affected about 138,400 patients. Take out a single loss that affected more than 4.5 million patients at the University of California Los Angeles Health and the average drops to slightly more than 6,000 victims per breach.
But many more breaches may actually be occurring. At least one expert says organizations donāt detect all the times their data has been compromised.
Another factor that could affect the hospitalsā and clinicsā level of vigilance is the state of enforcement. The Office of Civil Rights can impose penalties of up to $1.5 million for a breach, and California can impose fines of up to $25,000 per stolen record.
However, the civil-rights agencyās records indicate only 30 percent of breaches since 2010 resulted in a federal investigation. And California, which can investigate all breaches no matter how small, only issued 33 violations last year, according to state Department of Public Health records.
It can be hard to track down where victims of a breach live. Federal incident records simply indicate the home state for the company involved. For example, the notorious breach of insurance company Anthem affected almost 80 million patients throughout the country, but itās reported as an incident in Indiana.
Locally, Rady Childrenās Hospital in San Diego reported two breaches in 2014 affecting more than 20,400 victims. Rady representatives directed inewsource to the hospitalās website for a statement about the incidents. In it, the hospital called both incidents āhuman error.ā
An early 2014 breach at Escondido-based Palomar Health affected about 5,500 patients. The public health care district declined to comment, citing āpending legal matters surrounding this breach.ā
Tri-City Medical Center in Oceanside reported a breach affecting 500 individuals in August 2014. Officials declined to comment because, they said in an email, the incident happened āso long ago.ā A spokesman for the California Department of Public Health couldnāt confirm that the state had looked at that specific event, but it did investigate an August 2014 incident and was āin the process of determining whether it will result in an assessment of an administrative penalty.ā
Two other health care providers ā Graybill Medical Group in Escondido and American Sleep Medicine in Kearny Mesa ā each had a breach affecting about 1,800 patients. Neither responded to repeated calls for comment.
The data of about 5,500 patients at Palomar Health was compromised in early 2014. Megan Wood, inewsource.
Bitter medicine
The Ponemon Institute, a research organization focused on data protection and information security, placed the cost of data theft to the health care industry at $6 billion annually.
For health care providers ā and the businesses that provide auxiliary services to them such as law firms, print shops and IT companies ā even small breaches come with a significant cost.
Abner Weintraub is an owner and principal researcher for the consulting company ExpertHIPAA.com. He said surveys have placed the cost of a medical data breach at $100 to $250 per record compromised. A separate study from the Ponemon Institute and IBM placed the cost as high as $363 globally per record ā more than twice as much as the average data-breach cost for all other industries.
āThe costs for smaller clinics and professional organizations in health care obviously are not as high,ā Weintraub said. āBut in some cases the damage to reputation is more severe than financial fines or penalties or financial costs.ā
According to Weintraub, the costs come from multiple steps providers have to take to respond to a breach. The organization has to inform patients and āminimize the damage.ā
Responding to the damage
Consumers can take steps to protect their data if they believe itās been compromised.
Closely monitor credit accounts and consider putting a freeze on credit files.
Beware of identity thieves filing false tax returns.
Beware of scammers pretending to be the breached organization.
Contact the affected organization directly.
For many organizations, he said, that means providing a year or two of free monitoring of individualsā credit accounts for unusual activity.
Despite high costs, 91 percent of health care organizations surveyed by Ponemon had at least one breach in the previous two years. Forty percent had more than five breaches during that time.
Weintraub said a possible reason hospitals and medical centers continue to be breached is that they donāt realize the value of the information they hold. While they no doubt realize that records are valuable to patients and important for good medical care, they donāt realize that āhealth records are cash to criminals.ā
Ponemon found that criminal attacks are now the number one cause of medical breaches ā going from one in five organizations reporting a criminal attack in 2010 to almost half last year. That has moved it just ahead of lost or stolen computers and employee errors.
According to Weintraub, a credit card with a magnetic stripe might sell for $1 or $2 on the online black market for stolen personal data. āHealth records can sell for anywhere from $10 to $15 on the low end to $100 or $150 on the high end for each stolen health record,ā he said.
Not only do most health care providers not treat their records like cash, sometimes they donāt even know if theyāve been robbed.
āUnfortunately, we feel that breaches are underreported,ā said Eva Velasquez, president and CEO of the Identity Theft Resource Center, a San Diego nonprofit. āNot because the organizations donāt have integrity, but because they still donāt have the best practices in place to even know that theyāve been compromised.ā
Even with a lost or stolen computer, organizations may not realize patient information has been accessed without permission.
Velasquez and Weintraub emphasized that password-protecting a laptop isnāt nearly enough to keep it from being accessed. Thatās especially true when, as Velasquez pointed out, one of the most common passwords is still āpassword.ā
inewsource is a nonprofit, nonpartisan newsroom dedicated to improving lives in the San Diego region and beyond through impactful, data-based investigative and accountability journalism.
Our Vision
Betrayals of the public trust are revealed and rectified, wrongdoing is deterred, and inequities are illuminated thanks to inewsourceās deep, dogged, fact-based reporting.
Our Values
Truth: Above all else, we value the importance of a free and credible press. Truth is the cornerstone of democracy and the core value for inewsource.
Transparency: We build trust with our readers by adhering to the highest standards and ethics, and to reporting with facts, precision and context.
Collaboration: Our newsroom prioritizes collaboration over competition. We regularly partner with media outlets on reporting projects and to share content.
Community: Our reporting serves the San Diego region, and we strive to build relationships with our audience by getting out into the community to listen and engage.
Ethics Policy
inewsource will conduct its business with the highest standards of decency, fairness and accuracy. These standards shall apply equally to inewsource employees, freelancers and all others engaged in gathering information on behalf of inewsource. All receive a copy of these ethical standards.
In the course of our reporting, we will consistently:
ā Identify our organization and ourselves fully and avoid false representations of any kind to any source.
ā Obtain consent from all parties before electronically recording any interview or conversation except in extraordinary cases authorized by the Managing Editor and Editor. If a source refuses to be taped, that must be honored; no recordings are to be made without consent.
ā Respect the individualās right to privacy. inewsource will never manipulate or barter private, personal, health, financial or other extraneous information in the course of preparing its reports.
ā Any source we describe or write about in any significant manner must be contacted. The employee should document all efforts to contact the source, and if unsuccessful, should summarize these efforts at contact in the body of his/her writing.
In addition, inewsource follows the Code of Ethics of the Society of Professional Journalists. The latest version, revised in 2014, can be found here.
Our organization retains full authority over editorial content to protect the best journalistic and business interests of our organization. We will maintain a firewall between news coverage decisions and sources of all revenue. Acceptance of financial support does not constitute implied or actual endorsement of donors or their products, services or opinions.
We accept gifts, grants and sponsorships from individuals and organizations for the general support of our activities, but our news judgments are made independently and not on the basis of donor support. Our organization also may consider donations to support the coverage of particular topics, but our organization maintains editorial control of the coverage. We will cede no right of review or influence of editorial content, nor of unauthorized distribution of editorial content.
Our organization will make public all donors who give a total of $1,000 or more. We will accept anonymous donations for general support only if it is clear that sufficient safeguards have been put into place that the expenditure of that donation is made independently by our organization and in compliance with INNās Membership Standards.
Diversity
Diverse Voices
Inclusiveness is at the heart of thinking and acting as journalists, and it supports the educational mandate of inewsource. Race, class, generation, gender, sexual orientation, ability, and geography all affect point of view. inewsource believes that reflecting societal differences in reporting leads to better, more nuanced stories and a better-informed community.
inewsource is committed to employment equity and diversity.
Diverse Staffing Report
Below is a breakdown of staffing data at inewsource. We determine the composition of our staff by asking them to self-identify. It is based on a newsroom of 11 and a total staff of 15 as of August 2020. Percentages are based on 15 total survey responses. The numbers include full-time and part-time staff, full-time fellows and full-time and part-time interns.
All Staff Percentages are based on 15 total survey responses. The numbers include full-time and part-time staff, full-time fellows and full-time and part-time interns.
Newsroom Percentages are based on 15 completed survey responses to this question.
Business Percentages are based on 15 completed survey responses to this question.
Gender Identity
Gender Identity
Gender Identity
Women
80%
Women
82%
Women
75%
Men
20%
Men
18%
Men
25%
Sexual Orientation
Sexual Orientation
Sexual Orientation
Straight
87%
Straight
82%
Straight
100%
LGBTQ-identifying
7%
LGBTQ-identifying
7%
Not specified
7%
Not specified
7%
Speak a language beyond English at home
33%
Speak a language beyond English at home
18%
Speak a language beyond English at home
75%
Race/Ethnicity
Race/Ethnicity
Race/Ethnicity
White
67%
White
73%
White
50%
Hispanic or Latinx
20%
Two or more races
18%
Hispanic or Latinx
50%
Two or more races
13%
Hispanic or Latinx
9%
Age
Age
Age
20-29
40%
20-29
45%
20-29
25%
30-39
47%
30-39
45%
30-39
50%
60 or older
13%
60 or older
9%
60 or older
25%
* The percentages in the charts have been rounded and may not add up to 100.
Ownership Structure, Funding and Grants
inewsource is a nonprofit organization, whose legal name is Investigative Newsource. It does business as inewsource. The business was incorporated on Aug. 4, 2009 in the state of California. Tax-exempt status as a 501c3 was granted by the IRS on Sept. 15, 2010. inewsource is funded primarily by individual contributions and foundation grants. We are guided by a board of directors.
Editorial independence: Journalists employed by inewsource take no editorial direction from donors whose contributions may support the organization. inewsource will not hesitate to report on its donors when events warrant. Our Editorial Independence Policy details the firewall between journalism and revenue.
To be transparent with the public, inewsourcelists its donors on its website. In cases where a donor is the subject of an inewsource story, additional disclosure will be made.
Financial Documents
We do our due diligence to earn your trust in our reporting, as well as in our governance and financial sustainability. All of our financial documents are made available to view so that our supporters can trust we are sound stewards of your philanthropy. Review our IRS Form 990s, audited financial statements and annual reports:
Transparency is one of our core values. Today, there is a need to build trust with our audience because new media and ways of communicating spread lies and slanted news faster than “real” news. At the same time, this era of new technologies makes it easier than ever for news organizations to be transparent. People don’t just have to believe us, they can investigate our investigations with our source materials.
Transparency is key to building credibility.
inewsource reporters have primary responsibility for reporting, writing, and fact-checking their stories. But before a story is published, the reporter reviews all facts and sources with an editor or another reporter. Facts must be traced to a primary source.
In addition, we ātransparifyā certain investigative stories. This process involves publishing a version of the web story with hyperlinks to all the storyās facts. This is proof that all facts have been documented with primary evidence. We do this to build trust with our readers and to be as transparent as we hope the public figures and institutions that we hold accountable will be.
Unnamed Sources
Not all sources are created equal. Some sources cannot speak authoritatively, provide proper analysis or speak specifically to every inquiry placed before them. To maintain the integrity of our reporting, inewsource reporters must select sources who can speak with validity to the topic at hand, and avoid presenting unqualified or underqualified sources as experts.
If an interviewed source has a conflict of interest, or whose qualifications may be tangential or limited, reporters will note that within the context of the story.
It is incumbent upon reporters to fully background their sources to uncover conflicts of interest or slant prior to using them in a story.
Unless discussed prior to an interview, all subjects talking to inewsource journalists are on the record. Specifically, the source is identified by name and title, and their exact or paraphrased words are attributed to them for publication. If journalists speak with sources who are not politicians, public figures or those not commonly interviewed by journalists, staff should explain clearly that information discussed will be on the record and for publication.
There are times, however, when information may be critical for a story but cannot be found or verified by other means. For example, a source may be able to confirm specific information about a series of events they may have witnessed, but have legitimate concerns about using their name or title. The repercussions to the source could be legal, job-related retribution or personal safety. The source and journalist must discuss these potential dangers and terms of use should be agreed upon by both parties.
If inewsource publishes information from an anonymous source, inewsource will explain to readers, in as much detail as possible, why we agreed to anonymity.
Corrections and Clarifications
inewsource strives for accuracy in everything we do, which is why we are committed to fact checking our content. But sometimes we make errors. When that happens, we correct them. We also clarify stories when something weāve written is confusing or could be misinterpreted.
We endeavor to always be transparent about our commitment to correcting errors and clarifying misperceptions. When staffers see, hear or read about a possible issue with the accuracy of any inewsource content, they are expected to bring it to the attention of an editor and the web producer so it can be evaluated to determine how to proceed.
Including the web producer is key because inewsource is a multimedia news organization and shares its content with multiple partners on multiple platforms. The web producer must alert these partners about corrections and clarifications.
Corrections and clarifications should be included at the bottom of stories and dated.
Actionable Feedback and Newsroom Contacts
Our audiences know the region we cover and have a stake in maintaining and improving the quality of life in San Diego and Imperial counties. We know your knowledge and insights can help shape what we cover and how we cover it. We invite your comments and complaints on news stories, suggestions for issues to cover or sources to consult. We rely on you to tell us when we get it right and when we need to keep pushing.
Your comments, questions and suggestions can be sent to the team as a whole at contact@inewsource.org or you can contact a specific member of our staff.
Lorie Hearn is the chief executive officer, editor and founder of inewsource. She founded inewsource in the summer of 2009, following a successful reporting and editing career in newspapers. She retired from The San Diego Union-Tribune, where she had been a reporter, Metro Editor and finally the senior editor for Metro and Watchdog Journalism. In addition to department oversight, Hearn personally managed a four-person watchdog team, composed of two data specialists and two investigative reporters. Hearn was a Nieman Foundation fellow at Harvard University in 1994-95. She focused on juvenile justice and drug control policy, a natural course to follow her years as a courts and legal affairs reporter at the San Diego Union and then the Union-Tribune.
Hearn became Metro Editor in 1999 and oversaw regional and city news coverage, which included the city of San Diegoās financial debacle and near bankruptcy. Reporters and editors on Metro during her tenure were part of the Pulitzer Prize-winning stories that exposed Congressman Randy āDukeā Cunningham and led to his imprisonment.
Hearn began her journalism career as a reporter for the Bucks County Courier Times, a small daily outside of Philadelphia, shortly after graduating from the University of Delaware. During the decades following, she moved through countless beats at five newspapers on both coasts.
High-profile coverage included the historic state Supreme Court election in 1986, when three sitting justices were ousted from the bench, and the 1992 execution of Robert Alton Harris. That gas chamber execution was the first time the death penalty was carried out in California in 25 years.
In her nine years as Metro Editor at the Union-Tribune, Hearn made watchdog reporting a priority. Her reporters produced award-winning investigations covering large and small local governments. The depth and breadth of their public service work was most evident in coverage of the wildfires of 2003 and then 2007, when more than half a million people were evacuated from their homes.
Mark J. Rochester began as inewsource managing editor in April 2021, having served as editor in chief at Type Investigations, a nonprofit investigative newsroom in Manhattan. He was previously senior news director for investigations at the Detroit Free Press. Both newsrooms, he notes, shared a commitment to diversity and inclusion, and their investigative journalism often received national recognition for exposing problems impacting communities of color.
His family looks forward to returning to California, having spent more than seven years in San Francisco where Rochester was a senior manager for the Associated Press. While with the news cooperative, he led computer-assisted reporting training efforts around the West, both inside and outside of AP, and conducted a widely used analysis of the $74 million in campaign contributions that went toward the California gay marriage ballot initiative in 2008. The AP analyzed who gave and why and then made the data available to member newspapers. The resulting series of stories based on the data was APās 2009 Pulitzer nomination for Local Reporting.
Rochester, who served as a Pulitzer Prize jurist in 2017, also has held senior leadership positions at the Pittsburgh Post-Gazette, The Denver Post, Newsday and The Indianapolis Star. Rochester is vice president of Investigative Reporters & Editors Inc., the 6,000+ member international organization dedicated to improving investigative journalism. He also serves on the national advisory board of the Investigative Reporting Workshop at American University in Washington, D.C.
Byline Policy
Most of our articles carry a byline to identify the author. In some cases, inewsource will use a brand byline such as “Staff” or “inewsource” for internal or editorial information about the newsroom. In these instances, inewsource‘s Editor and Managing Editor are responsible for content that uses a brand byline.
The Trust Project
inewsource is proud to be a member of The Trust Project and support efforts to increase transparency in journalism by displaying the 8 Trust Indicators on our stories. We launched the Trust Indicators on Sep. 16, 2020.
Privacy Policy
inewsource has prepared this Privacy Policy to explain how we collect, use, protect, and share information when you use our inewsource.org website (the āSiteā) or when you use any of our services (the āServicesā).
By using the Site or Services you consent to this Privacy Policy.
Log Data
Like many site operators, we collect information that your browser sends whenever you visit our site (āLog Dataā).
This Log Data may include information such as your computerās Internet Protocol (āIPā) address, browser type, browser version, the pages of our site that you visit, the time and date of your visit, the time spent on those pages and other statistics.
Cookies
Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer or mobile device.
Like many sites, we use ācookiesā to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our site.
Certain pages on our site may set other third party cookies. For example, we may embed content, such as videos, from another site that sets a cookie. While we try to minimize these third party cookies, we canāt always control what cookies this third party content sets.
Additionally, we may use third party services ā such as those that provide social media conveniences, measure traffic, send newsletters and facilitate donations ā that may place cookies on your computer. We donāt have any way of knowing how such services handle the resulting data internally. inewsource makes no claim, nor takes liability for the insecure submission of information via these applications.
Here are the services whose cookies you can find on inewsource.org:
Sharing buttons for Facebook and Twitter. These use the standard scripts provided by each company.
Google Analytics, which we use to measure site traffic. Google Analytics gathers certain non-personally identifying information over time, such as your IP address, browser type, internet service provider, referring and exit pages, time stamp, and similar data. We also use Facebook Pixel to measure, optimize and build audiences for advertising campaigns served on Facebook. In particular it enables us to see how our users move between devices when accessing our website and Facebook, to ensure that our Facebook advertising is seen by our users most likely to be interested in such advertising by analyzing which content a user has viewed and interacted with on our website.
Stripe, which allows us to accept donations through our website.
Salesforce to manage newsletter subscriber, donor, and other identifiable user data.
Mailchimp, to manage newsletter distributions. We collect your email address if you choose to subscribe to one of our email newsletters or email news alerts. Other optional information that you enter when subscribing ā such as your first and last names or city are simply so that we can deliver more personalized email newsletters. We DO NOT sell, rent or market your information to any other parties. We retain your information only as long as necessary to provide your service. When we send emails, it collects some data about which users open the emails and which links are clicked. We use this information to optimize our email newsletters and, as aggregate information, to explain what percentage of our users open and interact with our newsletters.
Personal Data
We only collect personally identifiable information such as your name and email address when you sign up for a newsletter, donate to our organization, or otherwise submit it to us voluntarily. We do not share your personal data with any third parties other than some common service providers, whose products use your information to help us improve our site, deliver newsletters, or allow us to offer donation opportunities.
inewsource limits access to all user data for the purposes of newsletter, fundraising, and customer service only. User data is not sold to or otherwise shared with anyone not working with or for the inewsource.
You may unsubscribe or opt-out of our email and mail communications at any time by hitting the āunsubscribeā button in any email you receive from inewsource, or by emailing us at contact@inewsource.org or calling us at 619-594-5100.
Donor Information
The identities of all donors will be listed on our website. inewsource does not share, trade, sell, or otherwise release donorsā personal information to any third parties.
Refunds
If you encounter errors when donating on the website, please contact us at members@inewsource.org. For example, if you submit a donation for an incorrect amount or make a duplicate transaction please email us immediately so we can reverse the charges.
Cancellation of Recurring Donations
You can cancel your monthly recurring donations free of charge by notifying us at members@inewsource.org.
Links to Other Websites
Our site may contain links to documents, resources or other websites that we think may be of interest to you. We have no control over these other sites or their content. You should be aware when you leave our site for another, and remember that other sites are governed by their own user agreements and privacy policies, which should be available to you to read.
Disclaimers and Limitation of Liability
Although we take reasonable steps to prevent the introduction of viruses, worms, āTrojan Horsesā or other destructive materials to our site, we do not guarantee or warrant that our site or materials that may be downloaded from our site are free from such destructive features. We are not liable for any damages or harm attributable to such features. We are not liable for any claim, loss or injust based on errors, omissions, interruptions or other inaccuracies on our site, nor for any claim, loss or injust that results from your use of this site or your breach of any provision of this User Agreement.
Contact Us
If there are any questions regarding this privacy policy, please contact us at contact@inewsource.org or call us at 619-594-5100.
Leonardo CastaƱeda was a reporter and economic analyst for inewsource. To contact him with tips, suggestions or corrections, please email leocastaneda [at] inewsource [dot] org.
More by Leonardo CastaƱeda
Megan Wood was a multimedia journalist for inewsource. To contact inewsource with questions, tips or corrections, email contact@inewsource.org.
More by Megan Wood
