Bad HIT in pharmacy: Hospital to pay half million dollar fine after pharmacist's drug theft

This is an example where bad health IT in an "infrastructure" system (as opposed to a clinician-facing system) led to a quite unfortunate outcome for the community.

Bad Health IT ("BHIT") is defined as IT that is ill-suited to purpose, hard to use, unreliable, loses data or provides incorrect data, is difficult and/or prohibitively expensive to customize to the needs of different medical specialists and subspecialists, causes cognitive overload, slows rather than facilitates users, lacks appropriate alerts, creates the need for hypervigilance (i.e., towards avoiding IT-related mishaps) that increases stress, is lacking in security, compromises patient privacy or otherwise demonstrates suboptimal design and/or implementation

Security seemed severely lacking in this pharmacy information system:

Hospital to pay $510K fine after pharmacist's drug theft

Philly.com (Philadelphia Inquirer/Daily News)
January 9, 2017

http://www.philly.com/philly/blogs/real-time/Abington-Hospital-to-pay-fine-for-system-failure-after-drug-theft-by-pharmacist.html

Abington Memorial Hospital will pay $510,000 in fines after one of its pharmacists was able to exploit a loophole and steal drugs for illegal use,  the U.S. Department of Justice announced Monday.

In July, 2013, the hospital detected a discrepancy during a drug inventory. An internal investigation found that the pharmacist, Renata Dul, had on 85 occasions stolen more than 35,000 units of a controlled substance, including oxycodone, by exploiting a gap in the software used to track prescription medications. Dul then altered or destroyed related records. The hospital notified the Drug Enforcement Agency at that time.

The U.S. Attorney's Office found the hospital violated its responsibilities under the Controlled Substance Act, including failure to maintain adequate records and maintain proper security for receipt, purchase and administration of prescription drugs.

From a related article at this link:

... From Feb. 1, 2010, to July 22, 2013, Abington Memorial “failed to provide effective controls and procedures to guard against loss, theft, and diversion of controlled substances,” the agreement states.  During that time, Dul, a licensed staff pharmacist in the inpatient pharmacy, exploited a gap “since corrected” in the pharmacy’s software used to track the withdrawal and dispensing of medication, stealing controlled substances on at least 85 occasions and altering or destroying related records, the agreement says. She also admitted having stolen an “undeterminable” amount of controlled medications previously, it says.

The "gap" mentioned is likely widespread across many hospitals using this software.

The designers, vendors and hospital customers of health IT, even "backoffice" HIT, need to be exceptionally careful.  It's not like incorporating proper security for software like this, with aegis over drugs including narcotics, is a mystery.

35,000 units of a controlled substance on the streets, just from this one example where the IT flaw exploitation was caught, likely led to significant morbidity and mortality.

The penalty to the pharmacist was this:

In 2015, Dul pleaded guilty to 25 counts of possession with intent to distribute She was sentenced to six years in prison with three years supervised release, according to the U.S. Department of Justice.

In my view, those responsible for permitting the IT flaws in such a critical area as pharmacy should also have been held accountable.

-- SS