rica, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards.

"In my view, American companies which are outsourcing consumer data to foreign countries must assume responsibility for the data," Feinstein wrote.

All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so.

Companies increasingly are outsourcing more than just programming jobs to places like India. They are using foreign accountants to prepare U.S. tax returns, foreign radiologists to examine X-rays and even foreign clerks to transcribe dictation of sensitive medical data from American doctors. In these cases, most Americans have no idea that someone outside the United States handled private information about them. More worrisome, Americans might not be able to sue or collect damages from foreigners who misuse the information.

Last year a medical transcriber in Pakistan threatened to post patients' medical records online unless the University of California at San Francisco Medical Center settled a financial dispute. Lubna Baloch, the transcriber, claimed she hadn't been paid the 3 cents a line reportedly promised by a Texas man, who, in turn, had subcontracted the work from a Florida woman. The Florida woman herself had subcontracted the work from Transcription Stat, a firm in Sausalito, California, that was paid 18 cents a line by the medical center for the work. The owner of Transcription Stat said she couldn't respond to questions due to a pending lawsuit in the case.

A hospital spokeswoman said the medical center didn't know or approve of more than one level of subcontracting and was not aware that work was being sent outside the country.

Although the Health Insurance Portability and Accountability Act of 1996 requires medical transcribers in the United States to uphold privacy practices mandated in the bill, the federal law has no reach overseas.

Of course, overseas workers aren't more likely to compromise or misuse sensitive information than workers in the United States. For example, recently, U.S. publications published false rumors that actress Nicole Kidman might be suffering from breast cancer after someone leaked information about her breast exam to reporters.

In addition to sensitive medical data, information shipped to foreign workers can include bank account numbers, Social Security numbers, stock holdings and credit card numbers -- all valuable information to identity thieves.

One legislator already is taking steps to address the outsourcing privacy issue within Feinstein's state. California Democratic state Sen. Liz Figueroa plans to hold a hearing next month to discuss legislation that would prohibit California hospitals from outsourcing clerical work abroad. Figueroa also is considering legislation that would make it easy for Californians who have had their privacy violated by an overseas contractor to sue the American hiring party here. She said it's unclear whether current laws would allow this.

Because the outsourcing practice is so new, no one is tracking when companies outsource services, so Figueroa also wants to require companies to notify the state when they outsource 20 or more jobs overseas.

A study of the top 100 financial institutions worldwide by Deloitte Research predicted that financial firms would be outsourcing about 2 million jobs overseas over the next five years. Already, about 10 percent of the medical-transcription business, which generates $20 billion a year, is estimated to be outsourced overseas. But Melinda Decker of Medical Transcription, a site that matches health organizations with transcription services, said the figure is much higher.

Sen. Figueroa said the growing trend threatens to undermine medical and financial privacy protections that consumers and legislators have fought hard to achieve.

"Privacy issues until now have mostly been in the U.S.," said Figueroa, "but I think people are not aware of how much of their information is going outside the United States. I can't monitor medical information after it is sent overseas, but I can do something about it in the state."

Figueroa admitted to a little frustration at having to draft separate legislation to deal with outsourced medical data. She was author of one of the strongest medical privacy bills in the nation, the California Confidentiality of Medical Information Act, that was part of a health-care reform package signed by the state's governor in 1999.

"We thought we had taken care of everything having to do with medical privacy information. We didn't foresee the problem with outsourcing. Now we have to start all over again," she said.

If Figueroa does introduce new legislation, the health-care industry likely will fight it in the same way that banks fought a financial privacy bill introduced in California last year. Although that bill -- which aimed to stop banks from sharing or selling customers' personal information -- passed in California, Congress passed a bill two months later that essentially trumped the state legislation.

--------------------------------------------------------------------------------