[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Lessons from the Florida incident

  Here are some excerpts from the 9/20 AP story about the Florida incident
  first reported here by David Lesher:
     William B. Calvert III, one of only three state Department of
     Health and Rehabilitative Services employees with authorized
     access to the nearly 4,000 names, was on paid suspension Thursday
     as the Florida Department of Law Enforcement and HRS looked into
     the security breach at the Pinellas County health department.
     Copies of a computer disk with the names of AIDS patients were
     shipped anonymously to The Tampa Tribune and St. Petersburg
     Times. The sender said Calvert, 35, of Treasure Island, dropped
     it after showing it to friends at a gay bar.
     The information is kept under several different lock systems, in
     a locked room, with a secret password access, Fulton-Jones said.
     The state health department keeps track of treatment provided the
     patients listed and turns that information over to the federal
     ``These people were told when they came forward `We'll keep your
     name confidential in the public health department,''' added Coburn.
     Neither newspaper plans to publish or otherwise use the names.
     Florida is among 26 states with mandatory name reporting for
     ``When state legislators passed the law they were full of
     assurances this could not, would not, would never happen. <snip>
  Last winter, I posted an article to med-privacy predicting this kind
  of security breach must someday occur on a national level if we have 
  national level databases.  A number of readers thought it was silly.  
  Now we have a real life incident to illustrate the risk.
  The AIDS patients were lucky in three respects.
  a) The man had access to only 4,000 names.  A few years from now with
     more large compatible, interoperable, networked databases, he might 
     have had authorized access to 4,000,000 or even 300,000,000 records.
  b) The man was not sophisticated enough to post the stolen information
     to the Internet.  Had he done so, there probably would have been
     10,000 replications of the information in computers all over the
     world before anyone noticed.  It would be impossible to retract.
  c) The newspapers chose not to print it, although they had a
     first amendment right to do so.  Laws and penalties would
     seem to be ineffective here. Neither the man who found 
     the disk nor the newspaper are subject to penalties under
     any existing or proposed laws if they had disclosed it. 
     (At least laws that I know of.) If the disk had 4 million
     names and a tabloid had offered $40 milion for it, perhaps the 
     newspaper's ethics might have been more strained.
  In the spirit of debate, and in the context of this real life incident,
  I'd like to throw out two challenges to readers of this list.
  1) If you are working on any health care information delivery system,
     any regulation, law, or national standard that would prevent breaches
     similar to the Florida one, please let us know.
  2) Refute the following assertions.
     We are moving from an age in which privacy of medical records was
     an inherent property of chaos, diversity,  and archaic record 
     keeping systems, toward a modern system of efficient, interoperable,
     computer databases.  In the old system, it was easy and legal to
     disclose a few records, but impractical, in a single act, to steal 
     millions.  These natural protections are to be replaced by 
     statutes, assurances, safeguards, and technological wizardry.  
     Mr. Gellman, a frequent contributor here, is fond of pointing out
     that the status quo provides no federally mandated safeguards, and
     that some protections are better than none.  This sounds true on its 
     face, but central databases pose more new dangers than the proposed
     new laws provide in the balance.  It is technology, not government, 
     that is causing the new privacy challenges, but it is government to 
     which we must look for protection.
     Security safeguards [hopefully] make security breaches few and far
     between.  Few means nonzero, and private information, once disclosed 
     can never be recalled.  Thus the probability of eventual disclosure
     is one, i.e. certainty.
     The ONLY way to mitigate the damage of a breach is to limit the 
     information stored in the first place.  We must limit both in kind 
     and in volume the confidential information available to one person, 
     or to one location, or to one transaction.  All future legislation 
     designed to help protect our privacy should include this principle.
  Dick Mills                    O-      http://www.albany.net/~dmills 
  "The well-bred contradict other people. The wise contradict themselves." 
  - Wilde