According to an AP story over the weekend, the medical records of some 300,000 Californians who had applied for California workers' compensation benefits were discovered to have been left exposed unwittingly on a publicly accessible Web site.
Apparently, the information was placed on an internal Web site by Southern California Medical-Legal Consultants, a California company that represents medical providers in the recovery of billing from workers' compensation insurance carriers. The AP story stated that the information, which included people's names and social security numbers as well as details about their medical conditions, was not encrypted and didn't require a password to be accessed; nor were search engines kept from indexing the Web pages where the information resided.
Since the company thought the information could only be accessed by its employees and it wasn't linked to any of the company's public Web site pages, no one thought much about it. That was until, as described in a company press release dated the 12th of June:
"The company was notified of the possible breach by a data security firm that discovered some of the files using a sophisticated, automated search of Google indexes."
However, the person at the above-mentioned data security firm—Aaron Titus of Identity Finder—told the AP that what he did was not very sophisticated at all, and that the information was:
"available to anyone in the world with half a brain and access to Google."
Mr. Titus also likened the breach to a "case of felony stupidity."
The basic issue raised in the AP story is that the IT security knowledge/skills of many organizations involved in the capture, storage, analysis, or communication of electronic medical information has not generally kept up with evolving security threats, and the situation doesn't look like it is going to get any better any time soon. As a May New York Times article noted, the "personal medical records of at least 7.8 million people have been improperly exposed" over the past two years.
The Times article noted that inspector general of the Department of Health and Human Services "had found dozens of vulnerabilities in systems to protect records of patients at seven large hospitals in New York, California, Illinois, Texas, Massachusetts, Georgia, and Missouri. Auditors cited such problems as personal information that was not encrypted and was stored on computers that could be easily used by unauthorized users."
That "improperly exposed" number is expected to rise—possibly significantly—as electronic medical records become more widely used across the US. A recurring question has been whether the 165,000 or so small physician offices in the US that have fewer than 10 employees including the doctor(s) will be able to internally acquire or pay for the IT security skills needed to keep their electronic medical record systems safe, not only now but also against future threats. Given, as the Times article indicates, that hospitals with far more IT resources are having a hard time with IT security, the answer doesn't look promising.
Security questions are also being raised about Australia's proposed AU $466 million national electronic health record system. According to a story over the weekend in The Australian, nearly half of Australians may end up "boycotting the voluntary system when it launches in July next year amid concerns the government may find it impossible to guarantee private medical details remain private."
Supporters of the new national EHR system are confident that it will indeed adequately protect a patient's medical information, but they also agree that the Australian government has to become more active in convincing citizens of that fact. How can this be done?
According to the Australian story, it simply has to remind people, says Melbourne GP Mukesh Haikerwal, who heads the Clinical Leadership team for the National E-Health Transition Authority and is chair of the World Medical Association, that the new system:
"is much safer than having a fax hanging around the GP surgery that's just come from the clap clinic."
Does that happen a lot in GP surgeries in Australia?
Of course, inadvertent data breaches aren't confined to the medical arena either. Just a week ago, Yale University announced that personal information including the names and Social Security numbers of 43,000 people who worked for Yale in 1999 were accessible via Google search for the past 10 months.
As described in a Yale Daily Newsarticle from last week,
"The information was stored on a file transfer protocol (FTP) server used primarily for open source materials... In September 2010, Google modified its search engine to be capable of finding and indexing FTP servers...but ITS [Information Technology Services] was not aware of this change...since discovering that the file was accessible, ITS has confirmed that other search engines, such as Yahoo!, do not index FTP servers."
I don't know whether Mr. Titus would describe Yale's case as one of "felony stupidity" too, but it does point out that personal data can be exposed in many, ever-changing ways of which even experienced IT organizations may not fully be aware.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.