“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
SAN FRANCISCO (AP) — Until recently, medical files belonging to
nearly 300,000 Californians sat unsecured on the Internet for the
entire world to see.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
There were insurance forms, Social Security numbers and doctors’
notes. Among the files were summaries that spelled out, in
painstaking detail, a trucker’s crushed fingers, a maintenance
worker’s broken ribs and one man’s bout with sexual
dysfunction.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
At a time of mounting computer hacking threats, the incident offers
an alarming glimpse at privacy risks as the nation moves steadily
into an era in which every American’s sensitive medical information
will be digitized.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Electronic records can lower costs, cut bureaucracy and ultimately
save lives. The government is offering bonuses to early adopters
and threatening penalties and cuts in payments to medical providers
who refuse to change.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
But there are not-so-hidden costs with modernization.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
“When things go wrong, they can really go wrong,” says Beth Givens,
director of the nonprofit Privacy Rights Clearinghouse, which
tracks data breaches. “Even the most well-designed systems are not
safe. … This case is a good example of how the human element is
the weakest link.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Southern California Medical-Legal Consultants, which represents
doctors and hospitals seeking payment from patients receiving
workers’ compensation, put the records on a website that it
believed only employees could use, owner Joel Hecht
says.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
The personal data was discovered by Aaron Titus, a researcher with
Identity Finder who then alerted Hecht’s firm and The Associated
Press. He found it through Internet searches, a common tactic for
finding private information posted on unsecured sites.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
The data were “available to anyone in the world with half a brain
and access to Google,” Titus says.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Titus says Hecht’s company failed to use two basic techniques that
could have protected the data – requiring a password and
instructing search engines not to index the pages. He called the
breach “likely a case of felony stupidity.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
One of the patients affected was Paul Thompson, who learned of the
breach from Titus.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
The Sugarloaf, Calif., electrician blew out his shoulder four years
ago on a job wiring up a multiplex movie theater. His insurance
company denied his claim, which led to a protracted dispute. He
eventually settled.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Thompson says his injury has been a “long, painful
road.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Unable to afford surgery in the U.S. to fix his torn rotator cuff,
he paid a medical tourism company that was supposed to schedule a
cheaper procedure in Costa Rica. The company went bankrupt,
however, and Thompson said he lost nearly $7,300.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
To have his personal information exposed on top of that was a final
indignity.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
“I’m totally disgusted about everything,” he said, calling the
breach “another kick in the stomach.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Thomson is worried that hackers may have spotted his information
online and tagged him for future financial scams. He contacted his
bank and set up a fraud alert with the credit reporting
agencies.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
He says the prospect of all health records going electronic – which
federal law mandates should happen by 2014 – “scares the living
hell out of me.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
When mistakes occur, the fallout can be more severe than the
typical breach of email addresses or credit card
numbers.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
In the wrong hands, health records can be used for blackmail and
public humiliation. The information can also be used by insurance
companies to inflate rates, or by employers to deny job
applicants.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Usually when personal data are exposed, it’s the result of a
network break-in by a hacker or a theft of computer equipment.
Sometimes, it can be a simple case of someone mishandling the
information.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Leaks are more likely the more data are passed around within the
health industry’s increasingly interconnected networks.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Dozens of companies can be authorized to handle a single person’s
medical records. The further away from the health care provider the
records get, the flimsier the enforcement mechanisms for ensuring
the data are protected.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
That’s exactly what happened at Hecht’s company. “Our internal
security policies and procedures weren’t followed,” Hecht says.
“When we were notified, we took immediate steps to remediate the
situation and took long-term steps to make sure it never happened
again.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
The firm has since put the information behind a password, an
approach that has its own security risks.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Hecht declined to go into further detail about how the information
ended up online. He says many of the Social Security numbers and
basic details about people’s injuries were part of a database his
firm compiled from information regularly sent by the
state.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Patricia Ortiz, spokeswoman for the state Division of Workers’
Compensation, says doctor’s notes and other documentation in such
cases are publicly available, but they have to be requested one by
one.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
The state stopped including Social Security numbers in those files
in 2008; the exposed data came from older files.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Ortiz said that once workers’ compensation information leaves the
state’s control, its security is the recipient’s
responsibility.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
California, like most states, has a law requiring companies to
notify consumers when their information has been breached. Hecht
did not return calls from the AP seeking an update on how many
patients had been notified.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Large-scale medical data breaches have been on the rise in recent
years.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
In one of the biggest, government health data was at risk in 2006
when a laptop with data on 26.5 million veterans was stolen from a
government employee’s home. The computer equipment was recovered,
and the FBI said the sensitive files weren’t accessed.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
This year, hard drives containing health histories, financial
information and Social Security numbers of 1.9 million Health Net
insurance customers disappeared from an office. State regulators
launched investigations into Health Net’s security
procedures.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
The California company declined to comment, saying the incident was
still under investigation.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
The latest incident is “an eye-opener, and we’re going to get
eye-opener after eye-opener,” says Jim Dempsey, a security and
public policy expert at the Center for Democracy &
Technology.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
As instances of data mishandling become more commonplace,
government officials may seek greater control over security
policies of companies with access to health care records that
aren’t currently regulated.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
“It should be yet another warning bell for companies: You’ve got
your reputation on the line, and you’re also facing enforcement
action if you don’t pay attention to the security of the data you
collect and process,” Dempsey says.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
—
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”>
Jordan Robertson can be reached at jrobertson(at)ap.org.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“text-decoration: none; color: #000066;” rel=”item-license” name=
“3ce36725-0690-4b29-943d-8bb821af3343” href=
“http://hosted.ap.org/dynamic/stories/U/US_TEC_MEDICAL_DATA_MINEFIELD?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2011-08-21-16-33-57#3ce36725-0690-4b29-943d-8bb821af3343″> Ā© 2011Ā The
Associated Press may not be published, broadcast, rewritten or
redistributed. “http://hosted2.ap.org/APDEFAULT/privacy”>Privacy
Policy