Kids' psychological records mistakenly put online by university

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/docs/news/svfront/018507.htm

Tuesday, Nov. 6, 2001 
BY CHARLES PILLER
Los Angeles Times 

Detailed psychological records containing the innermost secrets of at
least 62 children and teenagers were accidentally posted on the
University of Montana Web's site last week in one of the most damaging
violations of privacy over the Internet.

The 400 pages of documents describe patient visits and offer diagnoses
by therapists of mental retardation, depression, schizophrenia and
other serious conditions. In nearly all cases they contain full names,
dates of birth, and sometimes home addresses and schools attended,
along with results of psychological testing.

And unlike a medical file left open on a counter in a doctor's office,
these electronic medical records once placed on the Internet exposed
the material to a vast audience who were never intended to see them.
It is unclear how many people viewed these records.

``You're talking about sensitive information that could scar a child
for life being available to anyone for any purpose,'' said Evan
Hendricks, editor of the Privacy Times newsletter.

The mother of an 11-year old, whose records of an
attention-deficit/hyperactivity disorder was posted on the
university's Web site, was appalled. ``He's just a kid and he
shouldn't have his whole life splattered around for the whole world to
know,'' she said. ``It makes me sick.''

The mother declined to be identified. She recalled attending her son's
therapy sessions and watched the therapist taking notes in her book,
``and thought maybe that was the extent of it. I guess I was kind of
naive about that.''

The medical files were placed on the University of Montana Web site
Oct. 29, and were available for eight days until they were removed
Monday after a local newspaper, the Missoulian, reported the story,
university officials said. The records were for patients at clinics
primarily in Minnesota, as well as Montana and other states. A
University of Montana student, or a university technical employee, may
have accidentally placed these private files on the Web site,
officials said.

The Montana case is the latest in a series of unauthorized disclosures
of medical data over the Internet.

Earlier this year, Eli Lilly and Co., maker of the antidepressant
Prozac, inadvertently divulged the names and e-mail addresses of 600
psychiatric patients in a bulk e-mail. Similarly, last year Kaiser
Permanente errantly sent e-mail with confidential medical information
to the wrong Kaiser members.

``That's the danger with having all of these electronic records,''
said Daniel B. Borenstein, a former president of the American
Psychiatric Association and a professor at the University of
California-Los Angeles. ``If you push the wrong button or put
something in the wrong spot on your Web site,'' the result can be
``immediate distribution of a massive amount of private medical
information.''


Drugstore records

Last year, a Nevada woman bought a used computer, only to find that
its previous owner, a drugstore, had left the pharmacy records of
thousands of patients on the machine's storage drive. But the buyer
did not disclose the records publicly.

And last year, a computer hacker broke into the medical-records system
at the University of Washington Medical Center and gained access to
about 4,000 patient records -- although these were not made public.

What sets the Montana situation apart is the age of the patients, the
volume of detail disclosed and its placement on a public Web site that
allowed complete access to private records.

Therapists whose patients were involved had no idea of the security
breach and were stunned by the lapse.

``I'm shocked,'' said Bonnie Carlson-Green, a psychologist at
Children's Hospital in St. Paul, Minn., the source of some of the
patient records. ``I have no idea how this can happen. Obviously this
information is confidential, and we go to great lengths to keep it
confidential.''

Victims of accidental disclosures face steep legal challenges to gain
compensation, said Peter Swire, a law professor who was chief privacy
counselor for the Clinton administration. Part of the problem is that
federal standards for medical-records privacy -- though recently
enacted -- will not go into force until 2003.


Legal liability

Posting a private document online, no matter how damaging it may
appear, can cause legal liability only if the victim can prove damages
in court.

``What if one of the patients has something bad happen to him or her
as a result of this disclosure -- if they are turned down for a job
later in life?'' Swire said. ``This is where you are open to a suit.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.