This post reflects on the article in the Denver Post: Uncovering the Identity Trade Business.
This story details identity theft by a Denver hospital employee. It is a single instance, but it shows how easy it is for any hospital employee, anywhere to steal patients' identities.
Hospitals will become a major source for identity theft because today's primitive, poorly designed health IT systems allow thousands of employees access to all patient information--including what's needed to steal identities. Not only can thousands of hospital employees see every patient's medical records (think George Clooney and Farah Fawcett--whose records were sold to the Enquirer), they can see and steal the demographic and financial information too.
For whatever reasons, the media has primarily reported on how wonderful electronic health systems are without explaining the severe risks they pose to privacy and the new problems they can create (errors, downtime, work flow obstacles, data sales, lack of interoperability, etc).
The health IT stimulus bill with $20B for HIT needs very strong consumer protections to ensure that the current 'norm' for hospital electronic health systems, ie badly designed, open access systems, is replaced by systems that only allow access to the few staff members the patient has given permission to see and use his/her electronic records. The current HIT bill does not require the use of consent management technologies to restore patient control over PHI.