I do not carry my insurance card with me every day because my Social Security Number was printed on the card. In case I lost my wallet some day, all of my personal information (including name, SSN, DoB, home address, which will be more than enough for identity theft) will be available to whoever got my wallet. I cannot afford the risks. But, there are good news for New York State residents. Excellus Blue Cross Blue Shield of New York State has begun issuing new alpha-numeric identification numbers to its policyholders, replacing their old Social Security number-based policy ID system. The switch is scheduled to be completed by the end of May. That’s absolutely great news. I hope the Blue Cross Blue Shield of North Carolina can do the same thing for their customers so that I can carry my insurance card with me without worrying about what will happen if I lose my insurance card.

Security and privacy should be designed into IT systems. Developers of new technologies must take privacy implications into consideration when developing new products. Vulnerabilities from intentional and unintentional intrusions or violations need to be guarded against at an architectural level. John Kavanagh recently wrote an article about what questions IT professionals should ask themselves about privacy when developing new systems.

That was the headline for Linda Rosencrance’s article on Computerworld on March 16th. (See http://www.nwfusion.com/news/2005/0316kaiseperma.html?nl)

But did they really? When you dig several paragraphs deeper into the story the picture becomes much more ambiguous than the headline would lead you to believe.

A woman, known as “Elisa” and “Diva of the Disgruntled” on her weblog had been terminated from her job as a web coordinator at Kaiser. Some time later, she claimed that Kaiser had posted a series of system schematics for Electronic Medical Records (EMR) project on a publicly accessible web site as well as personal patient information for about 140 people. She filed a complaint with the Office Of Civil Rights on the grounds that it is a violation of HIPAA regulations. She apparently made no attempt to notify Kaiser directly. A Kaiser spokesman said that the company learned of the incident when the Office of Civil Rights began an investigation.

The parts of the story regarding posting of the EMR project schematics doesn’t seem to be in dispute. Elisa found the web site URL with the schematics when she googled the name of her former manager. She made these URLs publc on her web log. A Kaiser spokesman admitted that the schematics had been put on the web site in order to share them with remote IT people. It’s unclear that the project schematics themselves were particularly sensistive, though they have since been put behind a password protected site.

Now, if that had been all there was to this story it wouldn’t have been such a big deal. But what about the patient data for those 140 individuals? Elisa didn’t provide a URL on the Kaiser site where that information had been posted. She only posted the URL to where the schematcs were located. So as far as can be determined by the information in the Computerworld article, Elisa doesn’t seem to have produced any forensic evidence that Kaiser accidently exposed the information on their public web site.

What is known to have happened is that Elisa posted the real patient information on her web log. So it’s clear that she had possession of the patient information, but it’s not at all clear that she obtained that information from the Kaiser public web site. Kaiser got the web log ISP to remove the information and had to do so at least twice because Elisa reposted the information. She claims that she had intended to remove the information once the Office of Civil Rights had investigated. Of course she could have supplied the information directly to the consumers and she could have refrained from posting patient medical ecords to her publc web log.

The Kaiser spokesman said that Kaiser has notified the affected patients and is continuing to investigate how Elisa came into possession of the data.

Now, read the headline again:
Kaiser Permanente patient data exposed online

Ask yourself, does this headline accurately reflect the story? I don’t think so. The only evidence of an exposure is for the IT system schematics and it’s not at all clear that these are particularly sensitive, especially from a HIPAA point of view. Perhaps a more accurate headline should have been:

Former Kaiser Employee Posts Kaiser Patient Data To Weblog

There is no dispute about the fact that Elisa did this. But there is no evidence (at least none mentioned in the article) that Elisa obtained this information through an accidental disclosure on the Kaiser web site.

My point is not to disparage Linda Rosencrance or ComputerWorld for a misleading headline. My point is that Elisa had access to patient data somehow. Maybe she got it from the Kaiser public website as she claims. Maybe she somehow got access to the data while she was still employeed. Maybe she received it from an insider who still works for Kaiser. The fact of the matter is that it doesn’t matter to Kaiser how Elisa obtained the patient data. It’s still a publicity nightmare.

The question is, how can this be prevented? This is the heart of good data stewardship and good data governance. As far as I can see, there’s no way to prevent this except to treat the operating environment of the business inside the firewall as an untrusted environment. Everytime sensitive information is seen by eyeballs, everytime it’s written to any media as clear text, there’s a potential for this kind of incident, which I expect is keeping a lot of CSO-types awake at night.

Our Spring workshop is scheduled for March 14-15 at North Carolina State University in Raleigh, NC. The two keynote speakers are: Mikhail Atallah (Purdue University) Margaret Eisenhauer (Hunton & Williams, Atlanta). Additional speakers include Steven Adler (IBM Tivoli, NY), Gene Spafford (Purdue University). For more information, please contact Mr. Paul Otto.