This is an incredibly pervasive problem. As someone who has worked in healthcare medical informatics for a long time I can report that errant spreadsheets with all sorts of data are floating around in virtually every medical institution.<p>Informatics in general and information security in particular are participants still new to the table at large healthcare institutions. It will take some time for policy to be formulated and yet more time still for it to be implemented organization wide. I really don't know if there is any one silver bullet here outside of prohibiting all data sharing, which, frankly is not possible.<p>There are so many different electronic information systems that people need to get data out of in all sorts of different formats, including paper, that the only real way I see this working is for vendors to force de-identification on export. See pioneering work by Sweeney[0] of CMU in this area. There are a number of systems that already do this but it is not the norm just yet. Not to mention the incalculable number of shadow systems that people use just to get their jobs done.<p>The overarching problem, imho, is simply that healthcare institutions have not adequately invested in their own internal technology teams. By and large, they are thinly resourced and overburdened. Whatever technical leadership does exist is simply not valued on the same level as top medical personnel with MD backgrounds. We will only begin to see a change when medical leadership accepts and invests in technology as an equal partner and not just a tool.<p>[0]<a href="http://latanyasweeney.org/work/index.html" rel="nofollow">http://latanyasweeney.org/work/index.html</a>