Patients’ privacy
exposed on `Net
By Chris Fyall
The Beacon
Stevens Hospital announced Monday that a contractor’s security lapse had allowed personal information for about 550 patients accessible onto the Internet for up to six weeks.
Names, address and social security numbers for the 550 patients were made vulnerable, officials said. Medical records, patient records and credit card information were never at risk.
The problem has since been corrected. Patients are being notified by the hospital, but no identify thefts have been tied to the lapse, officials said.
“Our patients’ privacy is our highest concern, along with their health and well-being,” said Mike Carter, hospital president and CEO. “Once we learned of the situation, we took swift action to restore the security of the personal information.”
From mid-April until May 22, Internet users could directly access the information on servers at Bellevue-based Verus Incorporated, which has managed Stevens’ online bill-payment system since the service began in December 2006. That service is currently suspended.
According to data collected by the Privacy Rights Clearinghouse, a national organization that tracks consumer privacy and technology, lapses like the one that affected Stevens accounted for 20 percent of medical center data breeches last year.
“We’re not seeing anything new with something like this but we’re learning more about these incidents,” director Beth Givens told the Beacon. “Data security is becoming more and more of an issue.”
After a firewall error opened up the Verus server, Google’s search engine catalogued the information stored there, making it accessible to anybody at google.com.
On May 22, an Edmonds woman inadvertently accessed the database while searching for information about a deceased friend. She immediately notified Stevens, according to CEO Carter.
“We know that a name and a connected social security number can be valuable information for somebody with the wrong intentions,” he said. “We quickly realized the seriousness of this problem.”
Stevens contacted Verus and Google, and the organizations worked together to limit damage.
Verus quickly corrected the problem, but scrubbing Google’s cache proved more difficult. In the end, the hospital filed a restraining order against Google — which was sealed by judges at King County Superior Court until Monday, when the suit came to light. The restraining order compelled the company to quickly remove any remnants of the information.
That seems to have worked, officials said this week.
“We’re pretty well convinced that the information is no longer out there,” Carter said.
It is unclear when the hospital’s online bill-payment system will resume.
Stevens is currently reviewing its relationship with Verus, Carter said. A decision could be made in a few weeks.
“It’s a nice service to have for our patients and it helps our cash flow, too,” Carter said. “So we’re hoping to get it up and running again.”
Officials from Verus did not respond to requests for comment.
According to Carter, the Verus database was accessed only nine times, and eight of those hits were likely hospital officials or people working to solve the problem.
It is unclear how many people accessed the Google cache before it was removed.
But, getting an accurate fix on that question could require extensive man-hours and millions of dollars, a Google spokesman told Stevens.
The hospital has opened a hotline for patients who want information about monitoring and protecting their personal information. The phone number is (425) 673-3745.
|
