“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> SAN FRANCISCO (AP) — Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> There were insurance forms, Social Security numbers and doctors’ notes. Among the files were summaries that spelled out, in painstaking detail, a trucker’s crushed fingers, a maintenance worker’s broken ribs and one man’s bout with sexual dysfunction.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American’s sensitive medical information will be digitized.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Electronic records can lower costs, cut bureaucracy and ultimately save lives. The government is offering bonuses to early adopters and threatening penalties and cuts in payments to medical providers who refuse to change.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> But there are not-so-hidden costs with modernization.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> “When things go wrong, they can really go wrong,” says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. “Even the most well-designed systems are not safe. … This case is a good example of how the human element is the weakest link.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers’ compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> The personal data was discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht’s firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> The data were “available to anyone in the world with half a brain and access to Google,” Titus says.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Titus says Hecht’s company failed to use two basic techniques that could have protected the data – requiring a password and instructing search engines not to index the pages. He called the breach “likely a case of felony stupidity.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> One of the patients affected was Paul Thompson, who learned of the breach from Titus.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> The Sugarloaf, Calif., electrician blew out his shoulder four years ago on a job wiring up a multiplex movie theater. His insurance company denied his claim, which led to a protracted dispute. He eventually settled.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Thompson says his injury has been a “long, painful road.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Unable to afford surgery in the U.S. to fix his torn rotator cuff, he paid a medical tourism company that was supposed to schedule a cheaper procedure in Costa Rica. The company went bankrupt, however, and Thompson said he lost nearly $7,300.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> To have his personal information exposed on top of that was a final indignity.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> “I’m totally disgusted about everything,” he said, calling the breach “another kick in the stomach.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Thomson is worried that hackers may have spotted his information online and tagged him for future financial scams. He contacted his bank and set up a fraud alert with the credit reporting agencies.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> He says the prospect of all health records going electronic – which federal law mandates should happen by 2014 – “scares the living hell out of me.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> When mistakes occur, the fallout can be more severe than the typical breach of email addresses or credit card numbers.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> In the wrong hands, health records can be used for blackmail and public humiliation. The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Usually when personal data are exposed, it’s the result of a network break-in by a hacker or a theft of computer equipment. Sometimes, it can be a simple case of someone mishandling the information.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Leaks are more likely the more data are passed around within the health industry’s increasingly interconnected networks.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Dozens of companies can be authorized to handle a single person’s medical records. The further away from the health care provider the records get, the flimsier the enforcement mechanisms for ensuring the data are protected.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> That’s exactly what happened at Hecht’s company. “Our internal security policies and procedures weren’t followed,” Hecht says. “When we were notified, we took immediate steps to remediate the situation and took long-term steps to make sure it never happened again.”
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> The firm has since put the information behind a password, an approach that has its own security risks.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Hecht declined to go into further detail about how the information ended up online. He says many of the Social Security numbers and basic details about people’s injuries were part of a database his firm compiled from information regularly sent by the state.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Patricia Ortiz, spokeswoman for the state Division of Workers’ Compensation, says doctor’s notes and other documentation in such cases are publicly available, but they have to be requested one by one.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> The state stopped including Social Security numbers in those files in 2008; the exposed data came from older files.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Ortiz said that once workers’ compensation information leaves the state’s control, its security is the recipient’s responsibility.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> California, like most states, has a law requiring companies to notify consumers when their information has been breached. Hecht did not return calls from the AP seeking an update on how many patients had been notified.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Large-scale medical data breaches have been on the rise in recent years.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> In one of the biggest, government health data was at risk in 2006 when a laptop with data on 26.5 million veterans was stolen from a government employee’s home. The computer equipment was recovered, and the FBI said the sensitive files weren’t accessed.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> This year, hard drives containing health histories, financial information and Social Security numbers of 1.9 million Health Net insurance customers disappeared from an office. State regulators launched investigations into Health Net’s security procedures.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> The California company declined to comment, saying the incident was still under investigation.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> The latest incident is “an eye-opener, and we’re going to get eye-opener after eye-opener,” says Jim Dempsey, a security and public policy expert at the Center for Democracy & Technology.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> As instances of data mishandling become more commonplace, government officials may seek greater control over security policies of companies with access to health care records that aren’t currently regulated.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> “It should be yet another warning bell for companies: You’ve got your reputation on the line, and you’re also facing enforcement action if you don’t pay attention to the security of the data you collect and process,” Dempsey says.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> —
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“font-family: Arial, Helvetica, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px;”> Jordan Robertson can be reached at jrobertson(at)ap.org.
“font-family: Verdana, Times, serif; font-size: 12px; text-decoration: none; line-height: 13px; color: #000000; font: normal normal normal 12px/normal verdana, helvetica, arial;”>
“text-decoration: none; color: #000066;” rel=”item-license” name= “3ce36725-0690-4b29-943d-8bb821af3343” href= “http://hosted.ap.org/dynamic/stories/U/US_TEC_MEDICAL_DATA_MINEFIELD?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2011-08-21-16-33-57#3ce36725-0690-4b29-943d-8bb821af3343″> Ā© 2011Ā The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. “text-decoration: none; color: #000066;” href= “http://hosted2.ap.org/APDEFAULT/privacy”>Privacy Policy href=”http://hosted2.ap.org/APDEFAULT/terms”>Terms of Use
