Data spill shows risk of online health records

Associated Press

SAN FRANCISCO

Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see.

There were insurance forms, Social Security numbers and doctors’ notes. Among the files were summaries that spelled out, in painstaking detail, a trucker’s crushed fingers, a maintenance worker’s broken ribs and one man’s bout with sexual dysfunction.

At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American’s sensitive medical information will be digitized.

Electronic records can lower costs, cut bureaucracy and ultimately save lives. The government is offering bonuses to early adopters and threatening penalties and cuts in payments to medical providers who refuse to change.

But there are not-so-hidden costs with modernization.

“When things go wrong, they can really go wrong,” says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. “Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link.”

Southern California Medical- Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers’ compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.

The personal data were discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht’s firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.

The data were “available to anyone in the world with half a brain and access to Google,” Titus says.

Titus says Hecht’s company failed to use two basic techniques that could have protected the data — requiring a password and instructing search engines not to index the pages. He called the breach “likely a case of felony stupidity.”

When mistakes occur, the fallout can be more severe than the typical breach of email addresses or credit- card numbers.

In the wrong hands, health records can be used for blackmail and public humiliation. The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants.

Usually when personal data are exposed, it’s the result of a network break-in by a hacker or a theft of computer equipment. Leaks are more likely the more data are passed around within the health industry’s interconnected networks.