http://www.siliconvalley.com/docs/news/svfront/018507.htm Tuesday, Nov. 6, 2001 BY CHARLES PILLER Los Angeles Times Detailed psychological records containing the innermost secrets of at least 62 children and teenagers were accidentally posted on the University of Montana Web's site last week in one of the most damaging violations of privacy over the Internet. The 400 pages of documents describe patient visits and offer diagnoses by therapists of mental retardation, depression, schizophrenia and other serious conditions. In nearly all cases they contain full names, dates of birth, and sometimes home addresses and schools attended, along with results of psychological testing. And unlike a medical file left open on a counter in a doctor's office, these electronic medical records once placed on the Internet exposed the material to a vast audience who were never intended to see them. It is unclear how many people viewed these records. ``You're talking about sensitive information that could scar a child for life being available to anyone for any purpose,'' said Evan Hendricks, editor of the Privacy Times newsletter. The mother of an 11-year old, whose records of an attention-deficit/hyperactivity disorder was posted on the university's Web site, was appalled. ``He's just a kid and he shouldn't have his whole life splattered around for the whole world to know,'' she said. ``It makes me sick.'' The mother declined to be identified. She recalled attending her son's therapy sessions and watched the therapist taking notes in her book, ``and thought maybe that was the extent of it. I guess I was kind of naive about that.'' The medical files were placed on the University of Montana Web site Oct. 29, and were available for eight days until they were removed Monday after a local newspaper, the Missoulian, reported the story, university officials said. The records were for patients at clinics primarily in Minnesota, as well as Montana and other states. A University of Montana student, or a university technical employee, may have accidentally placed these private files on the Web site, officials said. The Montana case is the latest in a series of unauthorized disclosures of medical data over the Internet. Earlier this year, Eli Lilly and Co., maker of the antidepressant Prozac, inadvertently divulged the names and e-mail addresses of 600 psychiatric patients in a bulk e-mail. Similarly, last year Kaiser Permanente errantly sent e-mail with confidential medical information to the wrong Kaiser members. ``That's the danger with having all of these electronic records,'' said Daniel B. Borenstein, a former president of the American Psychiatric Association and a professor at the University of California-Los Angeles. ``If you push the wrong button or put something in the wrong spot on your Web site,'' the result can be ``immediate distribution of a massive amount of private medical information.'' Drugstore records Last year, a Nevada woman bought a used computer, only to find that its previous owner, a drugstore, had left the pharmacy records of thousands of patients on the machine's storage drive. But the buyer did not disclose the records publicly. And last year, a computer hacker broke into the medical-records system at the University of Washington Medical Center and gained access to about 4,000 patient records -- although these were not made public. What sets the Montana situation apart is the age of the patients, the volume of detail disclosed and its placement on a public Web site that allowed complete access to private records. Therapists whose patients were involved had no idea of the security breach and were stunned by the lapse. ``I'm shocked,'' said Bonnie Carlson-Green, a psychologist at Children's Hospital in St. Paul, Minn., the source of some of the patient records. ``I have no idea how this can happen. Obviously this information is confidential, and we go to great lengths to keep it confidential.'' Victims of accidental disclosures face steep legal challenges to gain compensation, said Peter Swire, a law professor who was chief privacy counselor for the Clinton administration. Part of the problem is that federal standards for medical-records privacy -- though recently enacted -- will not go into force until 2003. Legal liability Posting a private document online, no matter how damaging it may appear, can cause legal liability only if the victim can prove damages in court. ``What if one of the patients has something bad happen to him or her as a result of this disclosure -- if they are turned down for a job later in life?'' Swire said. ``This is where you are open to a suit.'' - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 06:38:15 PST