When it comes to the legality of electronic signatures, it’s all about evidence. If you have the right evidence in your documents, it can keep you out of court in the first place. We’ve seen this in action with a real estate client whose buyer claimed the agent had signed documents for him. The real estate agent was able to prove the buyer signed the document because of the evidence built into the document, and the client dropped the case.
But today we’re going to look at an example of electronic signatures gone wrong. We’re going to look at the case of Magee-Womens Hospital, a prominent regional hospital for women and part of the highly regarded University of Pittsburgh Medical Center.
In December 1999, Dr. Susan Silver, a Johns Hopkins University-trained pathologist at Magee-Womens Hospital, complained to a colleague about a strange practice she’d seen at the lab. Her electronic signature had been placed on two pathology reports that she’d never seen before.
Silver suspected the hospital was trying to increase profits by making it look like physicians were reviewing the results in addition to cytotechnologists (who are not physicians).
She complained to hospital’s administration, and officials promised her that the unauthorized electronic signature was just a mistake. But veteran pathologist Dr. Kenneth McCarthy Jr. looked into Silver’s complaint and found a widespread problem in the Magee lab. McCarthy found that the electronic signature system had automatically signed their names to hundreds of thousands of Pap smear reports that they’d never seen.
The two doctors got tired of waiting for the hospital to do something, so they took their concerns to the College of American Pathologists. McCarty and Silver were fired right before the inspectors arrived.
The doctors weren’t the only ones who said they were fired for pointing out an error in electronic signature system. Donna Kovacs, an employee of Magee's pathology department, went to Pennsylvania state health authorities to complain about falsified signatures on patient records.
In fact, Kovacs was one of the patients affected. She discovered her own Pap smear reports had been signed by a pathologist who never read her tests. Kovacs was also fired.
McCarthy, Silver and Kovacs all sued the hospital and the University of Pittsburgh Medical Center under a state law protecting whistle-blowers.
At least ten cases were filed against the hospital, including:
The scandal also brought the hospital’s other electronic records into question and resulted in a very public dispute over the span of many years.
In December 2003, the state Department of Health launched its own investigation and carried out unannounced inspections of the lab. The process, which usually only takes a few weeks, took almost two years to complete.
The Department of Health found that patients’ Pap smear reports were forwarded to a treating physician with a pathologist’s signature even though the pathologist hadn’t seen the record. The department cited the hospital for allowing unauthorized staff to sign Pap smear reports and for not maintaining quality records.
Hospital lawyers dismissed the false electronic signatures as a computer glitch.
There are several key lessons to learn from this case. First is that when you’re dealing with important records, identity authentication is essential. If each of the pathologists had their own secret signing PIN they had to enter each time they signed, the entire issue would have never become a problem. (Learn more about identity authentication methods here).
But certainly the biggest takeaway from this case is the importance of electronic evidence. This case calls into question whether your IT staff can prove the person signing a document had in fact approved that record. Without the help of a highly detailed log of events during the document’s lifecycle (an audit trail), your IT team doesn’t have the resources to provide evidence to support documents in court.
Preserving and vouching for long-term records can be a real challenge for electronic records that don’t contain enough evidence. An institution and its stakeholders can’t assume that the IT staff it has today will be around tomorrow to testify about a mouse-click or a button-push.
That’s why it’s critical to have a highly detailed audit trail that’s permanently attached to the document. With digital signatures (a specific type of electronic signature), any cryptography expert can read the data logged for each document and testify whether the signature is legitimate. The information is stored within the document, so you don’t have to rely on outside sources—your IT staff or your electronic signature vendor—to prove your documents are genuine.
It’s easy to see that if this hospital had use identity authentication and digital signatures, they could’ve saved themselves loads of trouble and countless hours in court.