Pakistani Threatens HIPAA Extortion

October 23, 2003 ( - Attempting to get a higher wage for her labor, a worker based in Pakistan has threatened to release the medical records of a San Francisco hospital's patients.

The Pakistani worker, Lubna Baloch, had been doing cut-rate clerical work for University of California at San Francisco (UCSF) Medical Center through a subcontractor hired to handle at a portion of the health-care system’s voluminous medical-transcription workload. Earlier this month, Baloch sent an e-mail saying one of the subcontractors owed her money, and unless the hospital found the subcontractor and remedied the situation, patient medical records were going up online, according to a San Francisco Chronicle report.

“Your patient records are out in the open to be exposed, so you better track that person and make him pay my dues or otherwise I will expose all the voice files and patient records of UCSF Parnassus and Mt. Zion campuses on the Internet,” Baloch wrote in her demand email. To show she was serious, Baloch even attached actual files containing diction from UCSF doctors.

After receiving the email, administrators at the hospital immediately began to think of the implications this disclosure could have under theHealth Insurance Portability and Accountability Act (HIPAA). Under HIPAA, health-care organizations are required to maintain strict shrouds of privacy around patient medical records. However, those laws are virtually unenforceable overseas, where much of the labor- intensive transcribing of dictated medical notes to written form is being exported.

To bring the ordeal to an end, the hospital contacted the company that had been contracted to handle the transcription. Even though the contractor told UCSF that she gave explicit instructions to a subcontractor not to send transcription work overseas, she agreed to pay a portion of the money Baloch was owed, approximately $500, to bring the ordeal to a close.

The next day, UCSFreceived a second e-mail from Baloch. “I verify that I do not have any intent to distribute/release any patient health information out and I have destroyed the said information,” she wrote. “I am retracting any statements made by me earlier.”