[ISN] Kids' psychological records mistakenly put online by university

From: InfoSec News (isnat_private)
Date: Thu Nov 08 2001 - 04:12:22 PST

  • Next message: InfoSec News: "[ISN] Cyber-security czar snubs ID plan, defends Govnet"

    http://www.siliconvalley.com/docs/news/svfront/018507.htm
    
    Tuesday, Nov. 6, 2001 
    BY CHARLES PILLER
    Los Angeles Times 
    
    Detailed psychological records containing the innermost secrets of at
    least 62 children and teenagers were accidentally posted on the
    University of Montana Web's site last week in one of the most damaging
    violations of privacy over the Internet.
    
    The 400 pages of documents describe patient visits and offer diagnoses
    by therapists of mental retardation, depression, schizophrenia and
    other serious conditions. In nearly all cases they contain full names,
    dates of birth, and sometimes home addresses and schools attended,
    along with results of psychological testing.
    
    And unlike a medical file left open on a counter in a doctor's office,
    these electronic medical records once placed on the Internet exposed
    the material to a vast audience who were never intended to see them.
    It is unclear how many people viewed these records.
    
    ``You're talking about sensitive information that could scar a child
    for life being available to anyone for any purpose,'' said Evan
    Hendricks, editor of the Privacy Times newsletter.
    
    The mother of an 11-year old, whose records of an
    attention-deficit/hyperactivity disorder was posted on the
    university's Web site, was appalled. ``He's just a kid and he
    shouldn't have his whole life splattered around for the whole world to
    know,'' she said. ``It makes me sick.''
    
    The mother declined to be identified. She recalled attending her son's
    therapy sessions and watched the therapist taking notes in her book,
    ``and thought maybe that was the extent of it. I guess I was kind of
    naive about that.''
    
    The medical files were placed on the University of Montana Web site
    Oct. 29, and were available for eight days until they were removed
    Monday after a local newspaper, the Missoulian, reported the story,
    university officials said. The records were for patients at clinics
    primarily in Minnesota, as well as Montana and other states. A
    University of Montana student, or a university technical employee, may
    have accidentally placed these private files on the Web site,
    officials said.
    
    The Montana case is the latest in a series of unauthorized disclosures
    of medical data over the Internet.
    
    Earlier this year, Eli Lilly and Co., maker of the antidepressant
    Prozac, inadvertently divulged the names and e-mail addresses of 600
    psychiatric patients in a bulk e-mail. Similarly, last year Kaiser
    Permanente errantly sent e-mail with confidential medical information
    to the wrong Kaiser members.
    
    ``That's the danger with having all of these electronic records,''
    said Daniel B. Borenstein, a former president of the American
    Psychiatric Association and a professor at the University of
    California-Los Angeles. ``If you push the wrong button or put
    something in the wrong spot on your Web site,'' the result can be
    ``immediate distribution of a massive amount of private medical
    information.''
    
    
    Drugstore records
    
    Last year, a Nevada woman bought a used computer, only to find that
    its previous owner, a drugstore, had left the pharmacy records of
    thousands of patients on the machine's storage drive. But the buyer
    did not disclose the records publicly.
    
    And last year, a computer hacker broke into the medical-records system
    at the University of Washington Medical Center and gained access to
    about 4,000 patient records -- although these were not made public.
    
    What sets the Montana situation apart is the age of the patients, the
    volume of detail disclosed and its placement on a public Web site that
    allowed complete access to private records.
    
    Therapists whose patients were involved had no idea of the security
    breach and were stunned by the lapse.
    
    ``I'm shocked,'' said Bonnie Carlson-Green, a psychologist at
    Children's Hospital in St. Paul, Minn., the source of some of the
    patient records. ``I have no idea how this can happen. Obviously this
    information is confidential, and we go to great lengths to keep it
    confidential.''
    
    Victims of accidental disclosures face steep legal challenges to gain
    compensation, said Peter Swire, a law professor who was chief privacy
    counselor for the Clinton administration. Part of the problem is that
    federal standards for medical-records privacy -- though recently
    enacted -- will not go into force until 2003.
    
    
    Legal liability
    
    Posting a private document online, no matter how damaging it may
    appear, can cause legal liability only if the victim can prove damages
    in court.
    
    ``What if one of the patients has something bad happen to him or her
    as a result of this disclosure -- if they are turned down for a job
    later in life?'' Swire said. ``This is where you are open to a suit.''
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 06:38:15 PST