All your mentally ill children are belong to us
Khoder bin Hakkin
hakkin at sarin.com
Wed Nov 7 10:38:49 PST 2001
I think people have not quite gotten their hands around the
speed at which information can be disseminated online.
-Monica Lewinsky, LATimes 9 may 01
http://www.latimes.com/news/nationworld/nation/la-110701private.story
November 7, 2001
Web Mishap: Kids' Psychological Files Posted
By CHARLES PILLER, Times Staff Writer
Detailed psychological records containing the
innermost
secrets of at least 62 children and teenagers were
accidentally posted on the University of Montana
Web
site last week in one of the most glaring
violations of
privacy over the Internet.
The 400 pages of documents describe patient visits
and
offer diagnoses by therapists of mental
retardation,
depression, schizophrenia and other serious
conditions.
In nearly all cases, they contain complete names,
dates of
birth and sometimes home addresses and schools
attended, along with results of psychological
testing.
Unlike a medical file left open on a counter in a
doctor's
office, these electronic medical records, once
placed on
the Internet, were exposed to a potentially vast
audience.
"You're talking about sensitive information that
could
scar a child for life being available to anyone
for any
purpose," said Evan Hendricks, editor of Privacy
Times
newsletter.
The mother of an 11-year-old, whose records of an
attention deficit/hyperactivity disorder were
posted on the
university's Web site, was appalled. "He's just a
kid, and
he shouldn't have his whole life splattered around
for the
whole world to know. It makes me sick," she said.
The mother declined to be identified. She recalled
attending her son's therapy
sessions and watched the therapist "taking notes
in her book, and [I] thought
maybe that was the extent of it. I guess I was
kind of naive about that."
The medical files were placed on the University of
Montana Web site Oct. 29
and were available for eight days. The files were
removed Monday after a local
paper, the Missoulian, reported the story,
university officials said. The records
were for patients at clinics mainly in Minnesota,
as well as in Montana and other
states.
A University of Montana student or technical
employee may have accidentally
placed these private files on the Web site,
officials said.
It is unclear how many people viewed these
records.
The Montana case is the latest in a series of
unauthorized disclosures of medical
data over the Internet. Earlier this year, Eli
Lilly & Co., maker of the
antidepressant Prozac, inadvertently divulged the
names and e-mail addresses of
600 psychiatric patients in a mass e-mail.
Similarly, Kaiser Permanente last year sent
e-mails with confidential medical
information to the wrong Kaiser members.
"That's the danger with having all of these
electronic records," said Daniel B.
Borenstein, a former president of the American
Psychiatric Assn. and a UCLA
professor.
"If you push the wrong button or put something in
the wrong spot on your Web
site, it [can mean] immediate distribution of a
massive amount of private medical
information," Borenstein said.
Last year, a Nevada woman bought a used computer
only to find that its
previous owner, a drugstore, had left the pharmacy
records of thousands of
patients on the machine's storage drive. But the
buyer did not publicly disclose
the records.
Also last year, a computer hacker broke into the
medical records system at the
University of Washington Medical Center and gained
access to some 4,000
patient records--although these were not made
public.
What sets the Montana incident apart is the youth
of the patients, the amount of
detail disclosed and its placement on a public Web
site that allowed complete
access to private records.
The detailed accounts by therapists reveal
children suffering from all manner of
emotional problems:
"[She] has 'extreme mood swings' and is very
aggressive with her sisters and
other children," read one file about an 8-year-old
girl diagnosed with autism and
mental retardation. "She has been cruel to
animals, . . . often refuses to eat and
will make herself vomit."
An 8-year-old boy was described as suffering from
"anger outbursts, gender
identity issues" and bed-wetting.
Raymond Ford, the University of Montana technology
manager, said the
incident is under investigation. "We have no
evidence that this was malicious--all
the evidence that we have suggests that the person
who uploaded [the patient
files] probably had no idea what [he was] doing,"
he said.
But once the records were placed on the school's
Web server, a computer that
manages its online files, they became available to
Internet search engines and
were visible to casual Web surfers who requested a
keyword contained in a
patient's record.
For example, a search for "confidential" or
"neuropsychological" turned up
dozens of these medical records. Those files could
then be copied to the
computer of any visitor.
Therapists whose patients were involved were
stunned by the lapse.
"I'm shocked. I have no idea how this can happen.
Obviously, this information
is confidential, and we go to great lengths to
keep it confidential," said Bonnie
Carlson-Green, a psychologist at Children's
Hospital in St. Paul, Minn., the
source of some of the patient records.
Ford said the university will attempt to tighten
its Web security, but that it must
depend on users' vigilance and care to restrict
private materials.
Medical records experts said the university has an
ethical obligation to inform the
patients' parents.
"The least the [university] can do is contact the
families and let them know that
there was this error and the steps they've taken
to correct it," Borenstein said.
"There should be special privacy protections for
all medical records, even more
special protections for disclosure of any
psychiatric records," because of a real
threat of discrimination against people whose
treatment for mental illness
becomes known, Borenstein said.
Borenstein fears that fewer people will seek
treatment if they think their private
information may be accidentally disclosed.
Many psychiatrists are so concerned about
inappropriate electronic disclosure of
medical reports that they write only cryptic
comments in patient records, trusting
the rest to memory, Borenstein said.
David Aronofsky, the University of Montana's
attorney, said accidental online
releases of private legal or medical information
are not unusual and are corrected
quickly.
Patients and medical institutions have not been
contacted about the release of
these records. They will be contacted if it seems
necessary, after the internal
investigation is concluded, Aronofsky said. "We're
not understating the
significance of what happened here, nor are we
trying to cover it up," he said.
Fiona Anderson, a University of Minnesota
psychologist whose patient records
were among those released online, said the records
may have been removed
against her institution's rules.
"As things become more electronic and more easily
accessed . . . edited and
altered, it's difficult for our ethical rules and
guidelines to keep up with the
technology," she said.
But such victims of accidental disclosures face
steep legal challenges to gain
compensation, said Peter Swire, a law professor
who was chief privacy
counselor for the Clinton administration.
Part of the problem is new, more stringent federal
standards for medical records
privacy will not take effect until 2003, and state
regulations vary widely.
Posting a private document online--no matter how
injurious it may appear--can
cause legal liability only if the victim can prove
damages in court.
"What if one of the patients has something bad
happen to him or her as a result
of this disclosure--if they are turned down for a
job later in life?" Swire said.
"This is where you are open to a [legal] suit."
As more medical records are stored digitally,
routine electronic disclosure to
insurers and health maintenance organizations has
increasingly troubled some
clinicians and privacy advocates, although such
transfers are legal and often
required for provider reimbursement.
Paul Appelbaum, president-elect of the American
Psychiatric Assn., said patients
should be given the option of having their
information kept on paper.
A few health-care providers, such as the Harvard
Pilgrim HMO, offer such an
option.
The alternative for patients may be decreasing
control over their medical
histories.
Appelbaum added: "The mobility of electronic
information is almost unlimited."
More information about the cypherpunks-legacy
mailing list