Wednesday, May 23, 2007

Incident: Private medical records of Colorado residents exposed on Internet

From Minnesota public radio:
MPR: wavLength: Private medical records of Colorado residents exposed on Internet Private medical records of Colorado residents exposed on Internet

Posted at 10:03 PM on May 22, 2007 by Jon Gordon

On Friday's Future Tense, you'll hear this story:

As medical records are created and transmitted electronically more and more, the chance of private information falling into the wrong hands is growing. Sometimes records are stolen by hackers, other times just improperly secured. Compromised records can lead to a range of problems, from loss of employment to identity theft to plain old embarrassment.

Future Tense has discovered that detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time through at least last Friday, May 18. The data included patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois. It's unclear how many people may have seen the records.

Experts say the case likely runs afoul of federal health information privacy laws, even though there is no evidence that the records were misused.

The unsecured computer, which was accessible through a Web browser, was operated by Beacon Medical Services of Aurora, Colorado, which provides billing, coding and other services to emergency physicians at 17 facilities.

Beacon CEO Dennis Beck says he was shocked to learn about the breach and that the company took immediate steps to correct it.

"We've implemented a culture of compliance and data security and it just did not seem consistent with our culture, our practice and our experience," he said.

The medical records resided on an FTP server. FTP stands for File Transfer Protocol. It's a means by which users send and receive computer files over the Internet or private networks. In Beacon's case - and this is typical of the industry - health care providers sent encrypted data to the server for Beacon to access so it could bill patients and insurance companies. The data was unencrypted on Beacon's end, and the FTP server was not supposed to be accessible to the public. But in this case it was. No username or password was required to view the records.

The data included details of patients' visits to emergency rooms -- what ailments they complained of, diagnoses and treatments, and medical histories, along with the patients' names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. Some of the records detailed sensitive cases, from sexually transmitted diseases to severe depression. The site also contained financial information, such as a list of low-income patients who received state aid to help pay their medical bills.

Beacon has employed two firms to help investigate what led to the security hole.

"It appears to us now at this point as if there was some back door that was opened to this server," said Beck. "We don't know when, but we believe it may have been done when a consultant did some work for us several years ago."

The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000.

Future Tense discovered the Beacon site after a tip from a source who stumbled upon it. We followed up on the tip, staying just long enough to confirm the existence of the records and get an idea what kind of data they contained. We notified several health care providers whose patient data was exposed. Those providers informed Beacon, which promptly shut the server down when it learned of the problem.

Bill Byron is spokesman for Banner Health Corporation, the parent company of McKee Medical Center of Loveland, Colorado, one of the providers whose data was included on the FTP site. Byron said McKee physicians won't transmit any more records to Beacon
until they're satisfied the security problem is fixed.

"We're trying to understand what our obligations are going to be, in terms of disclosing to patients that this has occurred, so that's still in process, to determine what we have to do," he said.

The Colorado medical records incident appears to be a serious violation of federal law governing medical record privacy, according to Janlori Goldman, director of the Health Privacy Project at Georgetown University.

"Large-scale breaches like this are not uncommon," she said. "They may not happen every day but they happen enough that you have to wonder, why aren't people taking greater care with this information?"

About a year ago, for example, a data security breach exposed medical information and Social Security numbers of some 26 million veterans after data was stolen from the home of an employee of the Department of Veterans Affairs.

Tomorrow on Future Tense, we'll explore the potential harm of compromised medical records, and at the federal law designed to protect patients. One critic of current law says patients have very little recourse when their most sensitive medical records become public.

Here is a list of physician groups, clinics and hospitals which had data of various kinds on the exposed site:

-McKee Medical Center of of Loveland, CO
-Big Thompson Emergency Physicians of Longmont, CO
-Presbyterian St. Luke's Hospital of Denver
-North Suburban Medical Center of Thornton, CO
-Carepoint Emergency Physicians of the greater Denver area
-Long's Peak Emergency Physicians
-Longmont United Hospital
-Boulder Community Hospital
-Emergency Medical Specialists PLC
-Memorial Hospital of Colorado Springs
-Proctor Hospital of Peoria, IL

No comments: