Risk Factor iconRisk Factor

Patient Information Accessed From Old Computers in Oz

The Australian Sunday Times ran a story last weekend claiming that old hospital computers containing confidential patient information were being dumped in an open trash container in a busy alleyway at Royal Perth Hospital. The paper claimed to have been able to recover some of the information, including patient names and addresses, dates of birth, medical conditions and patient numbers. According to the Times, some 500 computers have been dumped this way.

Royal Perth, however, claims that the computer hard drives were wiped clean, but the Times said regardless that it was able to access the information very easily. The hospital also said that the computers were being destroyed by the scrap metal contractors picking them up, but the Times said it had sources that said that the computers were sometimes being resold.

After the story was published, the hospital and others claimed that the only way the Sunday Times could have accessed the information is if the paper had stolen the computers. Jim McGinty, Western Australia's Health Minister, is accusing the paper of "stealing the computers and engaging a 'hacker' to access their contents" during its investigation into Royal Perth Hospital's security of patient information. McGinty has called the police to investigate both the journalist and the paper.

This should get interesting.

In a side note, Western Australia's Auditor-General Colin Murphy in March reported that â''personal details of public servants, including salaries, home addresses and tax file numbers, were being released to the public when second-hand State Government computers were sold for as little as $2.â'' This is what drove the Times to do the story, it said.

Computer Science AB Advanced Placement Course Bites the Dust


The Washington Post reported last week that the College Board will be dropping the Advanced Placement Computer Science AB course and exam (the curriculum is here) after the 2008-2009 academic year. The College Board says that with only 5,064 students and 1,163 teachers taking part there was not enough interest.

According to the College Board website, "Computer Science AB includes all the topics of Computer Science A, as well as a more formal and a more in-depth study of algorithms, data structures, and data abstraction. For example, binary trees are studied in Computer Science AB but not in Computer Science A. The use of recursive data structures and dynamically allocated structures is fundamental to Computer Science AB."

The Computer Science A course seems unaffected.

Data Fusion Centers Mushroom


The Washington Post has a story on the proliferation of data fusion centers that have sprung up in dozens of states after 9/11. The centers tap into various commercial information brokers such as Accurint, ChoicePoint's Autotrack and LexisNexis, which the Posts writes, provide, "Web-based services that deliver instant access to billions of records on individuals' homes, cars, phone numbers and other information."

The story notes that each the fusion centers operate under state-defined different rules, and much of the activity is not open to outside review. At least one center (in Rhode Island) also claims that it has access (through the FBI) to classified CIA databases. This gives a back door channel to the CIA to keep an eye on US residents, something that it can't do directly.

It is not known how much information that is captured is wrong, but given that the Treasury Department's terrorist watch list has on-going problems with inaccurate and outdated information, there is little doubt that much of the information in these centers is suspect.

Even if when the information is accurate, the Treasury Department says that many users of the information don't bother to use it correctly. No doubt this happens with the information in these data centers as well.

I wonder how long before RFID information is captured by these data fusion centers.

UK Bank Loses Customer Data Disc Holding 370K Records


London-headquartered HSBC Holdings Plc, Europe's biggest bank, admitted that it had lost a disc containing details of 370,000 customers, according to news reports.

The data disc went missing a month ago after being sent by unregistered mail from HSBC's offices in Folkestone, England to the Swiss Reinsurance Co. because HSBC's electronic wire system wasn't working.

There is nothing to be concerned about, HSBC insists.

According to HSBC, the disc was password-protected (but not encrypted) and contains details including customers' names, life-insurance cover levels, birth dates and smoking status. It doesn't contain clients' financial details or addresses.

Nevertheless, HSBC said that, "We are apologizing to our customers.''

Why does HSBC feel the need to apologize if there is no harm? I thought the official government sanctioned rule in the UK on data breaches was "no harm, no foul."

Anyway, this and the HMRC episode last year does make one wonder what is going on at the Royal Mail. Is there a sorting machine somewhere that senses when sensitive computer discs are in an unregistered mailer and snaps them up?

Electronic UCLA Medical Records Breach Larger Than First Reported

The LA Times is reporting that a worker - since fired - was responsible for snooping through 61 electronic medical records at the UCLA Medical Center, 32 of which were those of celebrities including California first lady Maria Shriver and actor Farrah Fawcett.

UCLA Medical Center management claimed last month that when pop star Britney Spears' electronic medical records were illegally looked at by 25 staff members that it was an anomaly. Seems it wasn't.

What's more, the Medical Center didn't bother to tell either the authorities or the patients themselves that their records were looked at. In fact, it wouldn't have disclosed the breach at all if the news hadn't leaked to the press. As the Times story notes:

"UCLA officials initially determined that alerting authorities and the patients involved was not required (in the Shriver, Fawcett, etc. case), but they are reconsidering whether to notify the patients."

'As this becomes more public, that may change our minds,' said (Dr. David) Feinberg, (chief executive of the UCLA Hospital System), who joined UCLA last July."

I guess the irony of his statement escaped Dr. Feinberg.

The California Department of Public Health is now going to investigate the matter in some detail.

British Airways Back to Normal: Terminal 5 Baggage System Down Again


British Airways (BA) yesterday said it was hoping to run a "normal" flight schedule this weekend after a week of trouble with its new baggage system at its brand spanking new Terminal 5. Normal meant a new "normal," not the old "normal" like that at Terminal 4 where baggage system problems was the norm.

Well, it looks like the new normal is the same as the old normal.

BA announced earlier today that, "the BAA baggage system in Terminal 5 has suffered another computer problem today, which has caused disruption to British Airways flights."

"We are urging BAA to resolve these issues as soon as possible. Todayâ''s failure affects the baggage reconciliation system. This ensures that for security reasons we do not load any bags onto the aircraft where the passenger is not travelling."

"This means we have to manually reconcile bags for each flight which takes considerably more time than using the automated system. As a result this has led to flight delays and we have had to make a number of shorthaul cancellations."

"We apologise to passengers for the inconvenience."

BAA, the airport operator, also issued an apology: "This morning, a software problem has arisen in the baggage system at T5. This is entirely BAA's responsibility. We apologise to British Airways and all passengers who have been affected and can assure them that our specialist staff are working hard to resolve the problem and keep disruption to BA's operation to a minimum. While we know what the problem is, and have a potential solution, we are having to carefully consider how and when we apply this, to avoid further problems. We will provide further updates when appropriate."

It is never a good thing when you think your software fix may make things worse rather than better.

At least 12 flights were canceled today, and many flights were delayed for three hours or more.

Since the new terminal opened, over 400 flights have been canceled, at least 28,000 bags have been "mis-placed" and are being sorted in Milan, Gatwick, Manchester, Scotland, and the US, and the estimated costs to BA are at least $50 million. No word on whether BA will be asking BAA for compensation.

Life will get more interesting at the end of the month when most of the remainder of BA flights will move from Terminal 4 to Terminal 5. Of course, when the other airlines of the SkyTeam (Aeroflot, Air France, Alitalia, Bmi, Continental, CSA, Delta, Kenya Airways, KLM, Korean Air and Northwest Airlines) move into the space vacated by BA in Terminal 4. Given all the shuffling, I think it would be wise to avoid Heathrow until the end of the year.

The problems at Terminal 5 has inspired a game called Wee Willie Walsh in honor of British Airways chief executive Willie Walsh. The object of the game is to get a bag, get it through the security scanner, and then onto the plane.

Census: Going Back to Paper Due to "Lack of Communication"


The U.S. Census Bureau announced yesterday that it was reverting back to paper from its plan of using handheld computers for the 2010 Decennial Census. The reason?

According to Director of the Census Steve H. Murdock's testimony before the United States House Appropriations Subcommittee on Commerce, Justice and Science, "the problem with the FDCA (Field Data Collection Automation) program was due to a lack of communication between the Census Bureau and the prime contractor for FDCA, and to difficulties the contractor had in developing the full scope of the project within our deadlines. From the beginning, we did not effectively convey to the contractor the complexity of census operations, and the detailed requirements that needed to be fulfilled in order to complete the operations that FDCA covers."

In U.S. Secretary of Commerce Carlos M. Gutierrez testimony, he said that, "In 2007, the Address Canvassing dress rehearsal was conducted, at which time development and scoping problems emerged. Reports from the Census Bureauâ''s field staff, consultants from the non-profit MITRE Corporation working for the Bureau, and the Government Accountability Office confirmed these problems. The departmentâ''s Inspector General also raised concerns."

"In late 2007 and early 2008, more than 400 new or clarified technical requirements were identified by the Census Bureau. Upon the realization of the large scope of requirement changes, Census Director Murdock established the 2010 Census FDCA Risk Reduction Task Force, to begin to propose and evaluate options to keep the FDCA program on track. These efforts served to clarify the issues and confirm the urgent need for action."

The action was to punt (and bad mouth the contractor as much as possible even as the Bureau "accepted responsibility").

Gutierrez's testimony, as damning as it is, fails to mention that both technical and management issues with the handhelds were raised well before May of 2007 - all the May 2007 dress rehearsal did is to confirm them. Even as the sirens were going off that major trouble was brewing and that urgent action was required to be taken by July 2007 at the very latest, the Census Bureau and especially Gutierrez himself kept their collective heads in the sand, all the while claiming the project was moving along smartly, and that the critics (like me) were unjustifiably bashing the program.

Guess I wasn't, after all.

So, another $2.2 billion to $3 billion will be spent on top of the $11 billion already allocated to complete the census. What the hell, it's only taxpayer money.

Kudos to the Census Bureau for creating yet another case study on how not to manage a large scale software project in government. A classic IT blunder and debacle all rolled into one.

That said, let's hope that Congress demands a thorough, open and detailed analysis of this project be under taken now - before the files are "lost" - and a plan developed outlining how the Census plans to automate the 2020 census actually using for once the lessons learned.

Want to bet that this won't happen?

Air Force To Study Newly Discovered Flying Penguins for Stealth Characteristics

My friends in the UK alerted me to this amazing story and accompanying footage involving the newly discovered species of flying penguins that the BBC released yesterday.

I have been told by sources in the Pentagon that both the BBC and the British government are catching heat from the US Air Force, however, for disclosing the existence of the penguins, which have amazing stealth characteristics and a fantastic ability to generate power from a small wing surface.

Unofficial word is that the British version of the multi-nation F-35 Joint Strike Fighter under-development will be soon be named the Flying Penguins.

RFID Ecosystem Project : RFID Use in Our Future May Not Be Pretty

There is a very interesting article in the Seattle Times about a National Science Foundation funded experiment at the University of Washington called the RFID Ecosystem project. According to the story, a number of University of Washington "students, faculty and staff are being tracked as they move about the computer-science building, with details of where they've been, and with whom, stored in a database."

The point of the exercise is to "explore both positive and negative aspects of a world saturated with technology that can monitor people and objects remotely."

Computer science and engineering Professor Gaetano Borriello says in the article that, "Our objective is to create a future world where RFID is everywhere and figure out problems we'll run into before we get there."

The project has highlighted how easily a person's privacy can be penetrated without their knowing about it - something that governments around the world have started exploiting.

The article, for example, describes how the UK police are increasingly asking for information from London's RFID-based transit cards as well as the governmental activities in southern China, where "the government is installing RFID readers throughout the city of Shenzhen to track movements of citizens, and U.S. companies are helping deploy the technology. Chips in national ID cards contain not just a number, but a person's work history, education, religion, ethnicity, police record and reproductive history."

The article also notes that the Department of Homeland Security requires states to use an RFID chip in driver licenses that is readable from a distance and is compatible with its REAL ID initiative, which Borriello doesn't think is a good idea.

"There's no reason to have remotely readable technology in a driver's license," Borriello is quoted as saying in the article. Instead, he "recommends a system that requires contact with the surface of a reader, so the license-holder knows when information on his license is being read."

If you want to see how RFID may be used in your near-future, go read the story and the other publications at the UW RFID Ecosystem project website.

IEEE Spectrum also had an article last March on the ethics of implanted RFID chips and another in December 2004 on how employers are using surveillance technology to keep an eye on workers.

H-1B Visa Sweepstakes Starts Today


Beginning today, the US government begins accepting applications from employers for the 65,000 H-1B visas for Fiscal Year 2009. According to news reports, "Citizenship and Immigration Services has said it will accept H-1B visa petitions over five business days, ending April 7. In mid-April, the agency will run a computerized lottery to choose about 65,000 petitions."

For the first time, companies are prohibited from filing more than one petition for the same worker.

Reports also indicated that, "The three biggest users of the H-1B program in 2007 were three companies based in India that perform computer and software contract work here using foreign workers, mainly Indian."

"The three companies â'' Infosys Technologies and Wipro of Bangalore, and Satyam Computer Services of Hyderabad â'' accounted for more than 8,500 of the H-1B visas that received preliminary approval in 2007, figures show."

I wonder how many Microsoft is going to apply for?


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More