Security Potholes on the Health Care Highway

When a hacker broke into patient files at the University of Washington Hospital in May 2000, the intrusion was not the first time electronic medical records (EMR) had fallen into the wrong hands. Here are other examples from 1997 through 2000 that got noticed. Since it is well-established by security research firms that most breaches go unreported, hospital and network administrators can safely assume these few examples hardly represent the true scope of the problem:

  • A convicted child molester gained access to about 1000 computerized patient records while working as an orthopedic assistant. He had used another employee’s password to gain access to the medical records system. With the information in hand, he began phoning young girls who had been treated at the facility.

  • A movie star checked into a “prestigious hospital” located somewhere in the Northeast for a medical procedure. Curious clinical staffers proceeded to access the star’s medical records on the hospital’s network for their own personal amusement. The intrusions were only discovered after an audit of network traffic flagged an unusually large number of hits on the star’s medical record. An investigation later led to the dismissal or reprimand of more than 50 hospital employees who had accessed the star’s medical file without need or the proper authorization.

  • University of Michigan Medical Center electronic records accidentally found their way into a publicly accessible file on the university’s Web site. The breach was not discovered until a student seeking information about a particular doctor stumbled into the directory containing the patient records.

  • Records of 20 patients at Providence, Alaska, Medical Center accidentally ended up posted on the hospital’s public Web site.

  • Kaiser Permanente inadvertently sent confidential health information for 858 patients to the wrong e-mail addresses.

  • Pharmaceutical maker Eli Lilly accidentally revealed the addresses of nearly 700 users of Prozac. The patients had signed up on a company Web site for a daily e-mail service designed to remind them to take their Prozac. But, when the company decided to discontinue the service it e-mailed the announcement to all the subscribers. There, in each of the recipient’s e-mail headers, were the e-mail addresses of all the other Prozac users on the list.

  • In Maryland, eight Medicaid clerks were prosecuted for selling computerized records of recipients’—and their dependents’—financial disclosure information to sales reps from managed care companies.

  • The networks are “open.” Peter Shipley, a Berkeley, Calif., computer security consultant dialed random phone numbers at a rate of 500 per hour—1.4 million in all—searching for open modems. Shipley said he found nearly 14,000 modems that answered the phone ready to talk to his computer. Several were modems located at clinics or doctor’s offices, and one turned out to be located at a major East Bay medical facility. Legally, Shipley could probe these systems no deeper, but he said he had little doubt that these facilities would have presented little challenge for an experienced hacker.

    SOURCES: HEALTH PRIVACY PROJECT, GEORGE UNIVERSITY; BASELINE INTERVIEW