WA: Prescription drug tracking system illegally accessed (updated)
From the this-can’t-be-good dept.:
This week Washington’s Prescription Monitoring Program sent letters to 34 people whose records were illegally accessed by someone who used a physician’s identity.
The doctor’s personal and professional information was used to set up a fraudulent account in the statewide system.[…]
State health officials immediately deactivated the account when they learned it was fraudulent. The illegal account had been used to put the information of 34 patients into a format that can be downloaded. The patients and their prescribing providers have been notified and law enforcement is now investigating the case.
Read more on Enumclaw Courier-Herald.
Exactly what personal information is in that database? Anyone know?
Update: Okay, I looked up Washington’s law on this. Here’s the relevant section that gives us a clue as to what data types are in each record:
(2) Except as provided in subsection (4) of this section, each dispenser shall submit to the department by electronic means information regarding each prescription dispensed for a drug included under subsection (1) of this section. Drug prescriptions for more than one day use should be reported. The information submitted for each prescription shall include, but not be limited to:
(a) Patient identifier;
(b) Drug dispensed;
(c) Date of dispensing;
(d) Quantity dispensed;
(e) Prescriber; and
(3) Each dispenser shall submit the information in accordance with transmission methods established by the department.
(4) The data submission requirements of subsections (1) through (3) of this section do not apply to:
(a) Medications provided to patients receiving inpatient services provided at hospitals licensed under chapter 70.41 RCW; or patients of such hospitals receiving services at the clinics, day surgery areas, or other settings within the hospital’s license where the medications are administered in single doses;
(b) Pharmacies operated by the department of corrections for the purpose of providing medications to offenders in department of corrections institutions who are receiving pharmaceutical services from a department of corrections pharmacy, except that the department of corrections must submit data related to each offender’s current prescriptions for controlled substances upon the offender’s release from a department of corrections institution; or
(c) Veterinarians licensed under chapter 18.92 RCW. The department, in collaboration with the veterinary board of governors, shall establish alternative data reporting requirements for veterinarians that allow veterinarians to report:
(i) By either electronic or nonelectronic methods;
(ii) Only those data elements that are relevant to veterinary practices and necessary to accomplish the public protection goals of this chapter; and
(iii) No more frequently than once every three months and no less frequently than once every six months.
What I haven’t found yet is the definition of “patient identifier,” so I’ve sent an e-mail to the state requesting clarification and will update this entry if/when I get an answer.
Update: I sent an inquiry to the state, who kindly responded with the following details:
(i) Patient identifier. A patient identifier is the unique
identifier assigned to a particular patient by the dispenser;
(ii) Name of the patient for whom the prescription is ordered
including first name, middle initial, last name, and generational
suffixes, if any;
(iii) Patient date of birth;
(iv) Patient address;
(v) Patient gender;
(vi) Drug dispensed;
(vii) Date of dispensing;
(viii) Quantity and days supply dispensed;
(ix) Refill information;
(x) Prescriber identifier;
(xi) Prescription issued date;
(xii) Dispenser identifier;
(xiii) Prescription fill date and number;
(xiv) Source of payment indicated by one of the following:
(A) Private pay (cash, change, credit card, check);
(D) Commercial insurance;
(E) Military installations and veterans affairs;
(F) Workers compensation;
(G) Indian nations;
(H) Other; and
(xv) When practicable, the name of person picking up or dropping
off the prescription, as verified by valid photographic identification.
They provide whatever unique identifier they assign to a patient. It does not need to be the same for every pharmacy. The only requirement is that they can use the identifier to trace back to a certain patient.