http://www.indystar.com/apps/pbcs.dll/article?AID=/20061025/BUSINESS/610250481/ By Daniel Lee daniel.lee (at) indystar.com October 25, 2006 Dennis Morris guards his personal information carefully. The Beech Grove resident shreds documents containing his Social Security number. "It's just too easy to get somebody's information and cause them trouble," he said. He wishes others were as vigilant. Morris and about 260,000 Indiana and Illinois patients of Sisters of St. Francis Health Services-owned hospitals recently were notified that their personal information -- names and Social Security numbers -- had been potentially exposed. An outside contractor working with the Mishawaka-based hospital system, which operates hospitals in Indianapolis and elsewhere in Indiana, inadvertently left compact discs containing the confidential patient-billing information in a new computer bag she purchased but later returned to a store. The hospital and the contractor, Advanced Receivables Strategy, or ARS, say they don't believe patients' information was compromised. Still, the incident raised the ire of potential victims and security advocates. It also raised unsettling questions about the security of people's sensitive information in today's computerized world. "I think it's kind of moronic that someone would casually take this kind of information out of this place of business," Morris said. "It doesn't make any sense in this day and age." St. Francis was notified of the problem in July, but it didn't send out letters to patients until recent days. Kay Johnson, a St. Francis spokeswoman, said people were not notified sooner because the hospital wanted to thoroughly investigate the matter first, and that took time because it involved outside counsel and auditors making sure any notification was complete and did not violate privacy laws. Computer security and privacy experts say such incidents are all too common among businesses and organizations handling personal information. Such incidents, they said, can be avoided if organizations have set policies in place, follow them and make sure that any outside contractors also adhere to those practices. "Everybody's bad and everybody's sloppy," said Bruce Schneier, founder of Counterpane, a Silicon Valley computer security company. In this case, it appears not all policies were followed for the handling of patients' information. Johnson said the personal information on the discs was not encrypted, or electronically scrambled to keep unauthorized users from accessing the data. She said St. Francis and ARS have policies requiring that such data be encrypted. The incident is the latest in a string of consumers having their sensitive information potentially exposed. Some are cases of hackers illegally gaining access to networks, but many others are simple cases of laptops or computer files being misplaced or stolen. In this case, a Presbyterian minister who purchased the bag containing the CDs promptly notified St. Francis. As more and more health-care providers move to electronic medical records -- which often includes people's financial and medical information -- the stakes are high. The CDs contained information such as names and Social Security numbers for about 260,000 patients and about 6,200 employees, board members and physicians associated with Sisters of St. Francis Health Services and Greater Lafayette Health Services. In its letter to patients, ARS said it had notified the three major credit reporting agencies -- Equifax, Experian and TransUnion -- about the incident. Nashville, Tenn.-based ARS also said consumers have a right to ask one of these agencies to place a fraud alert, which requires the agencies to provide consumers with a free credit report and future reports. Although both organizations say they regret the mistake, neither is talking much about it. "The letter clearly explains the situation, and we're very sorry for the incident," said Joe Cohen, a spokesman for ARS, which is owned by Texas-based Perot Systems Corp. Experts, including Schneier, say it seems unlikely this incident would result in identity theft, given that the CDs were returned. Others worried about the time the CDs were unaccounted for. "But it's really impossible to tell whether the information was breached," said Tena Friery, research director of the Privacy Rights Clearinghouse, a San Diego advocacy group. She pointed to the three-day lag from when the bag was returned to the store until it was purchased by the minister. The federal Health Insurance Portability and Accountability Act, or HIPAA, was designed to help protect people's medical privacy. However, Friery said, HIPAA does allow information to be disclosed to a hospital's business associates, ARS in this case. "It doesn't require any oversight by the hospital for the data while it's in the possession of the person who's performing services for the hospital," she said. Ira Winkler, a security expert, questioned the wisdom of such an arrangement. "Why does a contractor have to download all that data to CDs and carry it around?" asked Winkler, author of "Spies Among Us," a book about risk management and corporate espionage. "When you have to deal with hundreds of thousands of people's identity information, you have to judge what is the risk. And the risk is too great to allow that volume of data to be downloaded." Morris, the Beech Grove resident who received the warning letter, just hopes he can rely on the hospital's and vendor's assurances that theft of his identity was highly unlikely. "Hopefully they're right," he said. "But how can I trust someone I don't know telling me, 'Don't worry.' . . . I won't feel comfortable for six months to a year." _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Oct 26 2006 - 02:14:16 PDT