KP patient data exposed online

[David Farber <dave () farber net>]

------ Forwarded Message
From: kelley <kelley () rakfoundry com>
Date: Wed, 16 Mar 2005 17:54:48 -0500
To: <dave () farber net>
Subject: KP patient data exposed online

Dave,

For the IP list, if you wish. Add another to the pile!



Kelley

Ink Works: security awareness training and more
http://www.inkworkswell.com
+1 (727) 942-9255


http://www.computerworld.com/printthis/2005/0,4814,100420,00.html


Kaiser Permanente patient data exposed online
The company is pointing a finger at a former employee
 
MARCH 16, 2005 (COMPUTERWORLD) - A disgruntled former employee at Kaiser
Permanente, a health maintenance organization in Oakland, Calif., posted a
link to a Web site containing the personal information of 140 Kaiser
patients -- an effort, she said, to call attention to a potential breach of
privacy laws by the company.

The company is now seeking a restraining order in Alameda County Superior
Court against the woman, known as the "Diva of Disgruntled," who posted the
information on her Web log, according to Kaiser spokesman Matthew
Schiffgens.

Schiffgens said the woman continued to post the information despite a
cease-and-desist request from Kaiser, which learned about her allegations
in January from the U.S. Office of Civil Rights -- the enforcement arm
under the Health Insurance Portability and Accountability Act. The federal
agency began looking into the matter after the woman filed a complaint with
it.

The company is investigating whether it had a hand in exposing the data.

According to Schiffgens, the data exposed included contact information such
as names, addresses and telephone numbers, as well as medical record
numbers that are unique identifiers within Kaiser Permanente. For a very
small portion of the HMO's members, some routine lab information was also
posted, he said.

Kaiser is now contacting the affected patients while it tries to determine
on its own how the patient information became public. The former employee,
whose first name is Elisa, said she stumbled on it while doing a search for
information about the company; Schiffgens denied that the data would have
been publicly available.

"We're aware of the individual's allegations as to Kaiser Permanente
posting this information to the Web," he said. "Our investigations have not
been able to determine that, and we continue to investigate how this
information came into her possession. What I can say is that Kaiser had a
Web site that made various different schematics available so that remote IT
people could do their work and see the schematics of the systems they were
working on."

Elisa, who described herself in an e-mail message to Computerworld as a
former "Web coordinator" for the HMO, claimed that the Web site she found
contained diagrams of Kaiser systems, as well as the confidential patient
data. In fact, she said she accessed the site using Google.

"I had been trying to dispute my termination, but Kaiser would not allow
[me] access to any of the documentation I needed," said Elisa, who was
terminated in June 2003. "I was searching online for any information I
could find. My former manager's name is on the systems diagrams, so they
came up in the course of research. There was no hacking involved."

Schiffgens said the diagrams, which at time were not behind a firewall or
password-protected, were related to an application that generated letters
for the lab reporting system. "The lab system itself was behind our
firewall and was password-protected," he said.

The Web site showing the system diagrams is also now behind the firewall
and password protected, he said.

Schiffgens also said the schematics had nothing to do with Kaiser's
HealthConnect program -- the system that will organize and integrate
clinical information for the company's approximately 8.3 million members
across the U.S.

"Kaiser has been trying to convince Congress that it should take a leading
role in the development of a national Electronic Medical Record," Elisa
said. "[But Kaiser] is a profoundly sloppy organization that lets part of
its intranet leak online to be indexed by Google and allows either
employees or consultants in highly sensitive areas to post system specs on
a public Web site. The federal government needs to start asking questions
about whether Kaiser can back up its promises when they start bidding for
EMR projects."

With that in mind, Elisa said she included a link to the Kaiser site on her
own Web site.

"I did not post this information: I linked to the original site, which
seems to have been posted by a Kaiser employee or insider," Elisa said. "I
found the Kaiser System Diagrams online at http://tripod.docviewer.com in
July 2004. You can see the remains of the site and the fact it has been
online since at least December 2002 at
http://web.archive.org/web/*/http://docviewer.tripod.com,"; she said.

Elisa also said that, in her opinion, publicly distributing diagrams of
systems that partly constitute California's transitional Electronic Medical
Records system is an even bigger deal than the patient privacy issue. With
that in mind, she contacted the Office of Civil Rights, which then
contacted Kaiser officials about the potential breach.

"We are continuing that investigation and continue to have discussions with
OCR," Schiffgens said. "On March 9, we asked the ISP to remove the posting
[from Elisa's Web site]. After we concluded that real member information
was included in the site, we took swift action to contact the ISP and have
it removed. But she reposted it twice, and the ISP removed it both those
times."

In response, Elisa, who then posted a copy of the site she had made, said
she planned to remove the post once the issue had been publicly aired.

"My intent was to take it down after the Office of Civil Rights had done a
proper investigation or Kaiser otherwise came under public/government
scrutiny," she said. "The site remained up while I was trying to figure out
what to do next."

Officials at the Office of Civil Rights could not be reached for comment.


------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/