[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Lessons from the Florida incident
Here are some excerpts from the 9/20 AP story about the Florida incident
first reported here by David Lesher:
William B. Calvert III, one of only three state Department of
Health and Rehabilitative Services employees with authorized
access to the nearly 4,000 names, was on paid suspension Thursday
as the Florida Department of Law Enforcement and HRS looked into
the security breach at the Pinellas County health department.
Copies of a computer disk with the names of AIDS patients were
shipped anonymously to The Tampa Tribune and St. Petersburg
Times. The sender said Calvert, 35, of Treasure Island, dropped
it after showing it to friends at a gay bar.
The information is kept under several different lock systems, in
a locked room, with a secret password access, Fulton-Jones said.
The state health department keeps track of treatment provided the
patients listed and turns that information over to the federal
``These people were told when they came forward `We'll keep your
name confidential in the public health department,''' added Coburn.
Neither newspaper plans to publish or otherwise use the names.
Florida is among 26 states with mandatory name reporting for
``When state legislators passed the law they were full of
assurances this could not, would not, would never happen. <snip>
Last winter, I posted an article to med-privacy predicting this kind
of security breach must someday occur on a national level if we have
national level databases. A number of readers thought it was silly.
Now we have a real life incident to illustrate the risk.
The AIDS patients were lucky in three respects.
a) The man had access to only 4,000 names. A few years from now with
more large compatible, interoperable, networked databases, he might
have had authorized access to 4,000,000 or even 300,000,000 records.
b) The man was not sophisticated enough to post the stolen information
to the Internet. Had he done so, there probably would have been
10,000 replications of the information in computers all over the
world before anyone noticed. It would be impossible to retract.
c) The newspapers chose not to print it, although they had a
first amendment right to do so. Laws and penalties would
seem to be ineffective here. Neither the man who found
the disk nor the newspaper are subject to penalties under
any existing or proposed laws if they had disclosed it.
(At least laws that I know of.) If the disk had 4 million
names and a tabloid had offered $40 milion for it, perhaps the
newspaper's ethics might have been more strained.
In the spirit of debate, and in the context of this real life incident,
I'd like to throw out two challenges to readers of this list.
1) If you are working on any health care information delivery system,
any regulation, law, or national standard that would prevent breaches
similar to the Florida one, please let us know.
2) Refute the following assertions.
We are moving from an age in which privacy of medical records was
an inherent property of chaos, diversity, and archaic record
keeping systems, toward a modern system of efficient, interoperable,
computer databases. In the old system, it was easy and legal to
disclose a few records, but impractical, in a single act, to steal
millions. These natural protections are to be replaced by
statutes, assurances, safeguards, and technological wizardry.
Mr. Gellman, a frequent contributor here, is fond of pointing out
that the status quo provides no federally mandated safeguards, and
that some protections are better than none. This sounds true on its
face, but central databases pose more new dangers than the proposed
new laws provide in the balance. It is technology, not government,
that is causing the new privacy challenges, but it is government to
which we must look for protection.
Security safeguards [hopefully] make security breaches few and far
between. Few means nonzero, and private information, once disclosed
can never be recalled. Thus the probability of eventual disclosure
is one, i.e. certainty.
The ONLY way to mitigate the damage of a breach is to limit the
information stored in the first place. We must limit both in kind
and in volume the confidential information available to one person,
or to one location, or to one transaction. All future legislation
designed to help protect our privacy should include this principle.
Dick Mills O- http://www.albany.net/~dmills
"The well-bred contradict other people. The wise contradict themselves."