Medical patient records unintentionally released for anyone to see on the Internet

Ann Arbor 10 February 1999 Merely by chance, an unsuspecting student at the University of Michigan discovered that thousands of patient records at the University's Medical Center had been left exposed to the public on the Internet. How such a breach could occur can be explained by the fact that computer staff at the Medical Center was trying to solve the bugs in a software programme installed by HBOC, a hospital information systems' provider headquartered in Minneapolis. In order to offer the HBOC experts access to the medical patient records, the University people decided to put the data on a special server which everybody presumed to be protected with special passwords.

Advertisement

Merely by chance, an unsuspecting student at the University of Michigan discovered that thousands of patient records at the University's Medical Center had been left exposed to the public on the Internet. How such a breach could occur can be explained by the fact that computer staff at the Medical Center was trying to solve the bugs in a software programme installed by HBOC, a hospital information systems' provider headquartered in Minneapolis. In order to offer the HBOC experts access to the medical patient records, the University people decided to put the data on a special server which everybody presumed to be protected with special passwords.

The student who preferred to remain anonymous, ran into the sensitive records while he was using a medical center Web site search engine to plug in the name of a physician, working at the University of Michigan. The results showed some clear links which referred to thousands of medical patient records. University officials immediately shut off access to the data the moment they had been informed about the leak through a third party, but nobody was able to tell how long the private files had been available on the Web. It may have been only a few hours or as long as a year.

The 10 MB database consists of patient names, addresses, phone numbers, Social Security numbers, employment status, and treatment records. The file contains the detailed therapy planning for colon cancer, renal failure, pneumonia, and hundreds of other illnesses. The data is used to schedule appointments. Luckily, the records do not serve as proper medical charts, which means they don't include any detailed medical information on the patient. The student has tried to notify the Web master of this imprudent negligence but ironically computer access to the responsible person was denied to him.

According to Dave Wilkins, who is the spokesman of the University's Medical Center, the database has been accessed only a couple of times between the time of the student's discovery and the moment it has been removed again from the public server. Wilkins admitted this incident apparently was a case of human error but stressed that patient confidentiality is something which the University of Michigan takes very seriously by locking private data down. Normally, this type of information is encrypted but in this case, the HBOC experts needed to handle the actual data because the software problems had to do with the presentation of the data.

Scott Sanders, field director for the Consumer Coalition of the Health Privacy Project at Georgetown University, is currently trying to build a framework to protect the patient's privacy on the Internet. Surprisingly, there is no federal law in the United States protecting the privacy of medical records. However, the Health Insurance Portability and Accountability Act of 1996 includes the mandate that a privacy law should be passed before the deadline, that is set on August 21st 1999. Several bills to that effect were introduced in Congress last year.

A report written in January 1999 for the California HealthCare Foundation by the Institute for the Future states that medical records privacy is critical to a future of networked health care. This study also has shown that one in six persons decides rather not to address himself to a physician, refusing to disclose his medical condition out of fear for lack of privacy. For the very same reason, a large number of patients prefers to frequently switch doctors. Robert Mittman, who is co-author of the report, seriously doubts that within the next five years, sufficient solutions will be identified to safely encourage the general use and widespread adoption of electronic medical patient records.


Leslie Versweyveld

[Medical IT News][Calendar][Virtual Medical Worlds Community][News on Advanced IT]