Human error to blame for Grady data breach

By CRAIG SCHNEIDER

The Atlanta Journal-Constitution

Tuesday, September 23, 2008

Private medical records of Grady Memorial Hospital patients were made public on the Internet, in a way that has become an increasing concern to information security experts.

Human error — not hackers — apparently caused the medical records of 45 patients to make their way onto an unsecured Web site in July, where they remained for a few weeks, Grady officials said.

Recent headlines:

• Air quality a bit better in Atlanta 
• CNN anchor gets restraining order 
• Fast lines at Hartsfield this week -- for a fee 

   • Atlanta and Fulton County news

The records were thought to be on a secured Web site, but the site turned out to be unsecured and open to the public, officials said.

Grady has since made sure the information has been removed from public access, said Grady lawyer Timothy Jefferson.

At a time when more and more information is stored and moved electronically, often on Internet sites protected with passwords and firewalls, experts say they see an increasing amount of information inadvertently slip onto unsecured sites and become available to the World Wide Web.

"Very few keystrokes can make a system that is secure become unsecure," said Tom Dager, director of information technology at SecureWorks, an Atlanta information security firm. He said he is seeing more data breaches due to human error than from hackers.

The Grady data breach follows an incident earlier this year. WellCare of Georgia, a partnership between the state Department of Community Health and private health care management organizations, reported that the private records of 71,000 Georgia families who are members of the state health insurance programs were accidentally made available on the Internet for several days.

Any time private health information is made public, it is a potential violation of federal HIPAA regulations, the Health Insurance Portability and Accountability Act.

The Grady problem also speaks to the dangers of outsourcing work on such information, said Dager, the security expert.

The information on the 45 patients included doctor's notes on patients, and possibly names and ages of patients, medical conditions, diagnosis and medical procedures. It did not include Social Security numbers, patient addresses or any credit card information, said Grady spokeswoman Denise Simpson.

Grady outsourced the job of transcribing the notes to a Marietta firm, Metro Transcribing Inc., which outsourced the work to a Nevada contractor, Renee Lella. Lella, in turn, turned the work over to a firm in India, Primetech Infosystems.

Attempts to reach the firms in India and Nevada were unsuccessful Monday. Caroline Johnson, president of the Marietta firm, issued a statement Monday saying the breach was "totally unintentional. It was thought that the Internet site was entirely secure and it was not."

The problem was discovered when a Grady doctor performed a search of his name on Google, and found information on his patients, said Jefferson, the Grady attorney.

The Atlanta Journal-Constitution learned the details of the data breach from documents obtained through the state open records law. Hospital officials said they had initially been told that the patients information had been stolen. But further review revealed there was no theft — that the India firm had let the information slip onto the Internet, according to correspondence from Grady's legal firm, Alston and Bird, to the Marietta contractor.

Grady has notified the patients of the security breach and officials say there is no indication that patients suffered due to it.

Jefferson said Grady is close to hiring a separate contractor to transcribe these medical records, and that the contract will stipulate that the company does the work itself.

Staff researcher Richard Hallman contributed to this article.

Allscripts ePrescribe Integration Launched With Google Health

Posted on: Monday, 22 September 2008, 09:00 CDT

Allscripts, a provider of clinical software, has announced that its Allscripts ePrescribe integration has been launched with Google Health.

The web-based electronic prescribing solution from Allscripts has been offered free of charge to every physician in America via the National ePrescribing Patient Safety Initiative (NEPSI), of which Allscripts is a national co-sponsor. Google is the search sponsor of NEPSI.

The integration between Allscripts and Google products helps physicians with a new means of sharing their patients' medication history over the internet with their patients through Google Health.

According to Allscripts, Google Health is a new product that allows users to store, organize, and manage their medical records securely online. The product is free to patients and partners who integrate. The relationship with Allscripts allows patients to transfer their medication history, allergies, and conditions from their physician's Allscripts ePrescribe application to the patient's Google Health account.

If a patient has a physician who uses the Allscripts ePrescribe solution, they can ask for a secure personal identification number from their physician to establish a sharing link between the physician's Allscripts ePrescribe solution and Google Health. Once the sharing relationship is established, the patients can import their medication history, allergies and conditions into their Google Health Account, said Allscripts.

Glen Tullman, CEO of Allscripts and co-chair of NEPSI, said: "Allscripts views our partnership with Google as another way to improve communication between physicians and their patients. This relationship makes it possible for our physicians to create an electronic dialogue with thousands of their patients and provide them with their medication information online. We believe this will enhance the quality of care and could help to prevent potentially harmful drug interactions that injure millions of people each year."

Google Exposing Thousands of Korean ID Numbers

Cracks in Korea's Online Industry Must Be Closed Internet Providers Face Class Action Suit Over Data Leak Korea Produces Safer Online Registration Guidelines Bigger, More Dangerous Hacker Attacks Threaten Net Industry Portals Withhold Leak Info From Members Concerns Mount Over Massive 'Auction' Info Leak Web Firms to Face Heavy Penalties for Info Leaks Auction Identity Thieves Nabbed A query of Excel documents under "residence registration number" on the Internet search engine Google generates some 6,900 results, most of them containing national identification numbers. One search result shows a file containing the ID numbers and mobile phone numbers of the 2006 steering committee of an elementary school in Busan. The document had already been deleted from the school's website, but the Google search results showed the intact file. Another file showed the names and residence registration numbers of 933 people. The file, apparently medical records, listed even the weight of patients. The exposed ID numbers could be used to set up mobile phone numbers or even credit card accounts under other people's names, but Google insists it has no way of stopping this from happening, raising fears of a rise in identity theft. According to a survey of Google search results on residence registration numbers by the Korea Information Security Agency, the personal IDs of 164,536 individuals were exposed during the first half of this year alone. A total of 60,558 websites had exposed the IDs of Koreans. Considering the incidents that KISA was unable to discover, the actual extent of identity exposure could be much higher. KISA developed a software program that automatically detects the exposure of residence registration numbers and began monitoring such incidents in July last year. But with thousands of national ID numbers being exposed daily, it is difficult for KISA to ferret out each case. An official at KISA said it is a lot of trouble having to confirm each time residence registration numbers are exposed and ask the webmaster of that particular site and Google to delete the information. Other Internet portals like Naver and Yahoo Korea take precautionary measures to prevent ID exposure. For example, those portals exclude from their search functions groupings of numbers in "XXXXXX-XXXXXXX" format like Korean residence registration numbers. But Google Korea is refusing, citing its policy of maintaining the free flow of information. Lois Kim, head of communications at Google Korea, said the company is not directly responsible since the ID numbers are not saved in Google, and the search engine merely looks up the IDs contained in various websites. But a bigger problem is that it is not easy for individual victims of identity exposure even to ask Google to delete their ID numbers. Such a request made online requires Google membership, and the entire process takes a week. Over that period, the damage could spread. One Korean citizen said Google Korea does not even operate a customer service center, making it difficult to report one's own ID being exposed in cyberspace. Another Korean said when Google entered the Chinese market, however, the search engine promised the government it would not show the results of queries involving certain words, showing what the Internet user called "double standards" in dealing with the two countries.