HIV Data Leak Spurs Security Restructuring at Drugmaker

This past February, a Palm Beach County, Fla., health department statistician made a big mistake: He inadvertently sent his colleagues the names of more than 6,600 locals with AIDS and HIV, violating the patients’ privacy and undermining the credibility of an agency dependent on the public’s trust.

The incident resulted from simple human error, and while it embarrassed the county health department and caused distress for the AIDS and HIV patients identified, at least no one died as a result. But data security breaches in the health-care industry can be that serious; information systems managers in the field know that threats—seen and unseen—invest them with a heavy burden to ensure security.

It’s a responsibility that Bob Coates, vice president of technology at FFF Enterprises, a leading distributor of lifesaving vaccines, plasma products and biopharmaceutical products to hospital pharmacies and patients throughout North America, knows full well.

“It’s the intimacy of this data that makes it our biggest technological challenge,” Coates says. “There are always some bad people out there doing some bad things that could put patients’ safety or privacy at risk.”

FFF Enterprises posted sales of more than $500 million in 2004. The Temecula, Calif., company buys flu vaccines and products like albumin, a protein manufactured by the liver that helps maintain patients’ blood pressure following a traumatic injury or burn, from a handful of manufacturers and then resells them via its Web site to more than 80% of all hospital pharmacies in the U.S. It is the world’s largest repository for albumin, which was in high demand following the Sept. 11 attacks in New York and Washington, D.C.

Sandwiched between drug and biopharmaceutical manufacturers and patients, FFF is both a conduit of lifesaving medications and a gold mine of information that would look very tempting to competitors, counterfeiters and potentially even terrorists.

For example, a hacker could attempt to redirect hundreds of shipments of flu vaccines intended for pharmacies and clinics. With a limited amount of vaccine manufactured each flu season, such a disruption could create a serious shortage, leaving infants and seniors vulnerable to a potentially life-threatening illness.

Just this past flu season, a contamination problem, that was not technology-related, at a Chiron facility in England blocked the distribution of nearly half the U.S.’ expected vaccine supply. This sparked a mild panic that had people lining up at clinics and shopping centers around the country, and resulted in limited rationing of the nation’s flu vaccine supply.

And with a relatively small number of manufacturers making the products in question—five plasma manufacturers, three vaccine makers, six producers of biopharmaceutical products—the information contained in the databases of companies like FFF amounts to some critical business intelligence.

Access to these companies’ systems, for example, could reveal how many vials of flu vaccine each manufacturer made, and how many were shipped to each U.S. hospital pharmacy and clinic. If a hacker were so inclined, he or she might alter the data to suppress manufacturing of a vaccine or a plasma product or divert a shipment from a legitimate customer to another location for distribution elsewhere.

To date, Coates says, the company’s vital databases haven’t been compromised, either by external attacks or internal negligence.