The Clipboard: How one offshore worker sent tremor through medical system

From an article¹:

Lubna Baloch sat in her office in the sprawling Pakistani commercial center of Karachi and gazed at the e-mail she'd composed. She tried to imagine the reaction half a world away when the people at UC San Francisco Medical Center saw what she'd written.

The famous U.S. hospital would have to take her seriously, Baloch knew, when it realized she was prepared to post its confidential patient records on the Internet. That is, unless UCSF helped her get the money she was owed from the mysterious Tom Spires, her link in a long chain of medical transcription subcontractors.

"Your patient records are out in the open to be exposed," Baloch wrote in her e-mail, "so you better track that person and make him pay my dues or otherwise I will expose all the voice files and patient records of UCSF Parnassus and Mt. Zion campuses on the Internet."

Then the kicker: "Just to make you believe that I am not bluffing I am attaching latest voice file and text of your hospital." Baloch had included private discharge summaries for two UCSF patients.

She clicked the send button on her computer screen.

The message arrived at UCSF on Oct. 7, 2003. It would get a swift reaction from hospital officials, but not in the way Baloch was expecting. Her brief e-mail would send shock waves throughout the U.S. medical establishment and prompt legislation to change California privacy laws. People's livelihoods, including her own, would be ruined. (link)

The whole tale is quite astonishing. The hospital contracted with a firm called Transcription Stat. Transcription Stat subcontracted it to a woman named Sonya Newburn. Newburn seems to have engaged in some sort of scam to have Lubna Baloch in Pakistan do the actual work. Read the full story to get the details on Newburn's clever scheme. The real problem, as the article notes, is that only part of Newburn's scheme can be punished under U.S. law despite the amount of harm done:

Most outsourcing of confidential information is done in an aboveboard fashion, with elaborate measures imposed to keep data secure as it lands in places like India, the Philippines, Ireland, Israel, Pakistan, the Caribbean and, to a lesser extent, Russia and China.

And, to be sure, overseas workers are no less trustworthy than their American counterparts. But because they are beyond the reach of U.S. authorities, overseas workers essentially operate on the honor system when it comes to keeping data under wraps.

"The problem is not that they're in India," said Chris Hoofnagle, associate director of the Electronic Privacy Information Center in Washington. "The problem is that American laws are not going to be enforced in India."

---

Complete text of the article, Outsourced UCSF notes highlight privacy risk, by David Lazarus

Lubna Baloch sat in her office in the sprawling Pakistani commercial center of Karachi and gazed at the e-mail she'd composed. She tried to imagine the reaction half a world away when the people at UC San Francisco Medical Center saw what she'd written.

The famous U.S. hospital would have to take her seriously, Baloch knew, when it realized she was prepared to post its confidential patient records on the Internet. That is, unless UCSF helped her get the money she was owed from the mysterious Tom Spires, her link in a long chain of medical transcription subcontractors.

"Your patient records are out in the open to be exposed," Baloch wrote in her e-mail, "so you better track that person and make him pay my dues or otherwise I will expose all the voice files and patient records of UCSF Parnassus and Mt. Zion campuses on the Internet."

Then the kicker: "Just to make you believe that I am not bluffing I am attaching latest voice file and text of your hospital." Baloch had included private discharge summaries for two UCSF patients.

She clicked the send button on her computer screen.

The message arrived at UCSF on Oct. 7, 2003. It would get a swift reaction from hospital officials, but not in the way Baloch was expecting. Her brief e-mail would send shock waves throughout the U.S. medical establishment and prompt legislation to change California privacy laws. People's livelihoods, including her own, would be ruined.

"This was an egregious breach," said Tomi Ryba, chief operating officer of UCSF Medical Center, adding that what happened to her hospital could happen to any company that outsources data. "We'll have to live with this risk on a daily basis."

American jobs have been moving offshore for years, primarily manufacturing work seeking out lower-paid workers abroad. The outsourcing of people's personal information, though, is a relatively new phenomenon -- opening the door to identity theft, fraud and other criminal activities.

"We've reached the point where American companies ship personal information outside the country and tell customers to check their privacy at the shore," said Rep. Edward Markey, D-Mass., one of the leading privacy advocates on Capitol Hill.

Lubna Baloch's run-in with UCSF demonstrates that the safety of outsourced information can never be guaranteed -- no matter how stringent the safeguards -- and offers the most glaring example to date of how a disgruntled overseas worker can violate the privacy rights of U.S. citizens.

The $20 billion medical transcription industry subcontracts as much as half its work overseas. Doctors' dictated notes are routinely farmed out by hospitals to be transcribed into written form.

Baloch, who spoke English and had studied medicine, was quick to recognize that a good living could be made as a medical transcriptionist in Karachi. But to succeed, she knew she'd have to crack the lucrative U.S. market.

"You need a good client to establish yourself," Baloch said in one of several telephone interviews from Pakistan. "I needed a good client in the U.S. so that others could see what I could do."

She believed she'd struck gold last summer when an e-mail arrived last summer from "Tom," who said he was an American transcriptionistconnected to one of the most prestigious hospitals in the country, UCSF Medical Center in San Francisco.

Tom didn't offer a last name or other particulars. Not even a phone number. Only the promise of 3 cents a line -- good money by Pakistan standards -- for quality transcription work, no questions asked.

"He was very secretive," Baloch recalled. "I asked for a contract and he said no. But I really wanted to establish myself, so I agreed."

The medical files started arriving in short order -- UCSF doctors' notes on patient discharges. The oral notes, containing the patients' names and details of their conditions and treatments, would be transmitted in digital form over the Internet.

Baloch downloaded and transcribed them. Then she'd upload the written files and send them back to Tom. She said she e-mailed him at what she assumed was his important U.S. company, Tutranscribe, although the firm didn't have its own Web site, only an AOL account.

Baloch was hopeful. She was handling as many as 15 UCSF files a day, five days a week. Tom said that if her work were good, he'd increase her pay in just a few months.

Most outsourcing of confidential information is done in an aboveboard fashion, with elaborate measures imposed to keep data secure as it lands in places like India, the Philippines, Ireland, Israel, Pakistan, the Caribbean and, to a lesser extent, Russia and China.

And, to be sure, overseas workers are no less trustworthy than their American counterparts. But because they are beyond the reach of U.S. authorities, overseas workers essentially operate on the honor system when it comes to keeping data under wraps.

"The problem is not that they're in India," said Chris Hoofnagle, associate director of the Electronic Privacy Information Center in Washington. "The problem is that American laws are not going to be enforced in India."

When she began working for Tom, Baloch wanted the relationship to be as open and aboveboard as possible. She said she asked by e-mail several times for a phone number. What if she had a problem with one of the files? What if there was an emergency?

At last, Tom agreed to chat via AOL's Instant Messenger service and revealed two things: His full name, he said, was Tom Spires, and he lived in Texas.

So, Baloch asked, is that how he would identify himself on the Western Union money transfer that would be arriving in Karachi after her first month's work? She explained that knowing the sender's name and location were necessary for her to collect her funds.

"He answered with only two words -- Sonya and Florida," Baloch recalled. "I asked who Sonya was. He said, 'She's my secretary in Florida.' "

Baloch was pleased to see that Sonya was wiring the money, but the payments never came on time. Every month, Baloch would have to ask Tom for her money again and again.

She finally told Tom -- by e-mail, as always -- that she would not send back UCSF's transcribed files until her money arrived. Almost immediately, Sonya wired funds from Florida.

So Baloch sent off her completed files and went to work on the steady stream of doctors' notes that Tom kept sending. Indeed, more files than ever before were arriving over the Net.

"Tom said I should hire more people so I could take on more work," said Baloch, who immediately recruited additional transcriptionists in Karachi and went shopping for a couple of new computer systems for them to work on.

But she soon started to worry.

It was Sept. 25, 2003, several months after Baloch had begun handling the San Francisco hospital's records, and once again Tom in Texas, via Sonya in Florida, hadn't paid her on time.

Enough was enough. Baloch was now also doing transcription work for a doctor in Santa Monica and was hopeful that new jobs would be found at the various transcription sites online. She could live without Tom Spires and his secretive ways.

Baloch e-mailed Tom and demanded her outstanding payment of about $500. No reply. She e-mailed again. Nothing. She tried yet again, and this time her e-mail to Tom's usual address was returned as undeliverable.

She couldn't believe it. "I was in debt," Baloch said. "I couldn't pay my people. I couldn't pay my rent. My telephone bill was high. My electricity bill was high. This made me very, very angry."

So she sent her e-mail to UCSF. The hospital would remedy things.

Tech workers at UCSF weren't sure at first what to make of Baloch's message. They didn't know who she was or whether the files she'd attached were genuine. They forwarded the message to the hospital's records department.

The department checked Baloch's files against its own archives. That's when it became clear that one of the most serious privacy breaches in the institution's history had just transpired. The head of the records department, Mary Reed, would later characterize the situation in a memo as "quite grim."

Reed contacted a Sausalito firm called Transcription Stat, which had been handling much of the hospital's transcription work for 20 years. The files on Baloch's message had been originally outsourced to the firm.

"I couldn't believe this happened," said Kim Kaneko, the owner of Transcription Stat. "Nothing like this has ever happened to us before."

A Transcription Stat worker, Dennis Centore, quickly traced the files to a batch of notes that had been subcontracted to a woman in Florida named Sonya Newburn, who typically handled as many as 30 files on individual UCSF patients every day.

"She was quiet until I mentioned Tom Spires," Centore recalled. "Then she said, 'Oh my God,' and said that she had contracted for Tom to do the work."

Neither Transcription Stat nor UCSF knew that Newburn was subcontracting. The outsourcing chain was supposed to end with her, as per Newburn's contract with the Sausalito firm.

Newburn told Centore she would immediately find Spires and try to resolve the matter. The next day, UCSF received another e-mail from Baloch. It said she'd been paid some of her outstanding money by Newburn's Florida company, Medical Data Services, and that Newburn had agreed to pay the remainder by the end of October.

"I verify that I do not have any intent to distribute/release any patient health information out and I have destroyed the said information," Baloch wrote. "I am retracting any statements made by me earlier."

Newburn, for her part, would say in a telephone interview a few weeks later that she hoped the problem would now go away. She said she'd immediately dropped Spires as a subcontractor and strongly opposed transcription work being sent to other countries.

"I would never do that," Newburn declared. "That's American work, American jobs, going overseas."

She added: "The work (from Spires) was going there, and I didn't even know it. I specifically told him I didn't want any work going overseas."

It wasn't yet known that Baloch had been paid all along by "Sonya in Florida." Nor was it known that no record exists of a transcriptionist in Texas named Tom Spires or a company called Tutranscribe.

The chain of subcontractors that led eventually to Baloch receiving UCSF's files underscores the challenge of keeping track of personal information once it's outsourced. And misdeeds can happen anywhere.

In November, the names, addresses and Social Security numbers of thousands of Wells Fargo customers went missing when a computer was stolen from the office of a Concord business consultant working for the bank. Wells' data were subsequently recovered by police and Secret Service agents, and the suspected thief has been charged with burglary and possession of stolen property.

Baloch never would have been in a position to threaten UCSF if another subcontractor in the chain hadn't violated the terms of the hospital's original outsourcing contract and sent the records abroad.

In late October, several weeks after UCSF received Baloch's threatening e-mail, Newburn was still maintaining that she had no idea the hospital's files were going to Pakistan. "This whole thing has really surprised me," she said by phone.

If that's true, she was asked, how did she explain the money transfers she was apparently sending to Baloch?

Newburn hesitated before answering. "Did Baloch tell you that?" she wanted to know. "The lady's a rogue."

Newburn now admitted that she did know before the threat against UCSF that the hospital's files were going to Pakistan. "I just wasn't aware of the extent of work going there," she said.

Even though she was handling Baloch's monthly invoices?

"I'm not sure," Newburn replied.

How did she meet Tom Spires?

"I met him online. He came to me for work."

And he lives in Texas?

Newburn paused. "I'm not sure anymore," she said.

Transcription Stat's checks to Newburn were sent to an address in Cottondale, Fla., near Tallahassee. The house is listed in public records as Newburn's primary address. Also residing there, according to property records, are Robert and Evelyn Spires, the home's owners.

Any relation?

"I'm not answering that question," Newburn said.

Is Tom Spires a relative?

"If he is, what of it?"

Does Spires even exist?

"I'm not going to answer that."

Did Newburn invent Spires to protect herself from charges that she was violating contracts by sending work abroad?

"I need to get an attorney," she said, and hung up the phone.

Responding to the situation with UCSF, California Sen. Joe Dunn, D-Garden Grove, introduced legislation last month that would prevent any work from being sent abroad if it involves state residents' confidential information.

"Once your information goes overseas, it's beyond the reach of the U.S. court system," he said. "There's no remedy for a U.S. citizen if his information is compromised."

Similarly, state Sen. Liz Figueroa, D-Fremont, introduced a bill that would, among other things, require any company doing business in California to disclose that it is outsourcing customers' data to overseas workers.

She also chaired a six-hour hearing in Sacramento this month to explore the various ways that consumers' info makes its way abroad. "It's definitely a growing trend," Figueroa said. "It's not going away."

At the federal level, Rep. Markey of Massachusetts said he's planning to introduce legislation soon that would not only require companies to reveal any outsourcing practices, but also allow consumers to say no if they don't want their data leaving the country.

"It's not acceptable that your credit card may stay safely in your pocket but your credit report is traveling the world racking up frequent flier miles," he said.

Sen. Bill Nelson, D-Fla., said this month that he too has legislation in the works prompted in part by what happened to UCSF. One issue he said he intends to address is the possibility of holding U.S. companies accountable for any misuses of information abroad.

At UCSF, hospital officials are still dealing with the fallout from Baloch's security breach.

"We took this very, very seriously," said Ryba, the medical center's COO. "UCSF has had longstanding policies in place to protect patient confidentiality, and it continues to be a high priority for us."

But there's only so much anyone can do. "What occurred here is an unethical breach of contract," Ryba said. "If people break contracts and violate ethical business practices ... the most vigilant protection system will be challenged."

Newburn's contract with Transcription Stat, the Sausalito firm that originally received UCSF's outsourced files, clearly specifies that "confidential medical information arising out of the doctor-patient relationship" is involved.

The contract stipulates that Newburn, as a subcontractor, "will not divulge any such information."

Business at Transcription Stat, meanwhile, all but dried up once the hospital stopped sending the company its doctors' notes for transcription.

Kaneko, the firm's owner, said that even though she did nothing wrong, it's probably just a matter of time before she's forced to close. "Who's going to hire me now?" she asked. "Who's ever going to think about using Transcription Stat at this point? After 23 years in business, it took just one little e-mail to ruin me."

For her part, Newburn isn't taking any more calls on the matter. She said by e-mail only that she has nothing more to say about Baloch, Spires or her role in putting UCSF's patient records at risk.

Back in Karachi, Baloch has no idea what she'll do now. Her sole remaining U.S. client, the Santa Monica physician, cut her off when it came to light that she was using his Southern California address on her resume without his permission.

She's trying to keep a low profile. Her phone number's been changed. She doesn't want her picture taken.

"It was wrong what I did to UCSF," Baloch acknowledged. "But what else was I supposed to do? Tom was abusing me. Sonya was abusing me. Maybe Sonya was Tom. I have so many questions!"

reference=http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2004/03/28/OFFSHORE.TMP