All your mentally ill children are belong to us

Khoder bin Hakkin hakkin at sarin.com
Wed Nov 7 10:38:49 PST 2001


 I think people have not quite gotten their hands around the
speed at which information can be disseminated online.
-Monica Lewinsky, LATimes 9 may 01


http://www.latimes.com/news/nationworld/nation/la-110701private.story

November 7, 2001

                      Web Mishap: Kids' Psychological Files Posted
                      By CHARLES PILLER, Times Staff Writer

                      Detailed psychological records containing the
innermost
                      secrets of at least 62 children and teenagers were

                      accidentally posted on the University of Montana
Web
                      site last week in one of the most glaring
violations of
                      privacy over the Internet.

                      The 400 pages of documents describe patient visits
and
                      offer diagnoses by therapists of mental
retardation,
                      depression, schizophrenia and other serious
conditions.

                      In nearly all cases, they contain complete names,
dates of
                      birth and sometimes home addresses and schools
                      attended, along with results of psychological
testing.

                      Unlike a medical file left open on a counter in a
doctor's
                      office, these electronic medical records, once
placed on
                      the Internet, were exposed to a potentially vast
audience.
                      "You're talking about sensitive information that
could
                      scar a child for life being available to anyone
for any
                      purpose," said Evan Hendricks, editor of Privacy
Times
                      newsletter.

                      The mother of an 11-year-old, whose records of an
                      attention deficit/hyperactivity disorder were
posted on the
                      university's Web site, was appalled. "He's just a
kid, and
                      he shouldn't have his whole life splattered around
for the
                      whole world to know. It makes me sick," she said.

                      The mother declined to be identified. She recalled
attending her son's therapy
                      sessions and watched the therapist "taking notes
in her book, and [I] thought
                      maybe that was the extent of it. I guess I was
kind of naive about that."

                      The medical files were placed on the University of
Montana Web site Oct. 29
                      and were available for eight days. The files were
removed Monday after a local
                      paper, the Missoulian, reported the story,
university officials said. The records
                      were for patients at clinics mainly in Minnesota,
as well as in Montana and other
                      states.

                      A University of Montana student or technical
employee may have accidentally
                      placed these private files on the Web site,
officials said.

                      It is unclear how many people viewed these
records.

                      The Montana case is the latest in a series of
unauthorized disclosures of medical
                      data over the Internet. Earlier this year, Eli
Lilly & Co., maker of the
                      antidepressant Prozac, inadvertently divulged the
names and e-mail addresses of
                      600 psychiatric patients in a mass e-mail.

                      Similarly, Kaiser Permanente last year sent
e-mails with confidential medical
                      information to the wrong Kaiser members.

                      "That's the danger with having all of these
electronic records," said Daniel B.
                      Borenstein, a former president of the American
Psychiatric Assn. and a UCLA
                      professor.

                      "If you push the wrong button or put something in
the wrong spot on your Web
                      site, it [can mean] immediate distribution of a
massive amount of private medical
                      information," Borenstein said.

                      Last year, a Nevada woman bought a used computer
only to find that its
                      previous owner, a drugstore, had left the pharmacy
records of thousands of
                      patients on the machine's storage drive. But the
buyer did not publicly disclose
                      the records.

                      Also last year, a computer hacker broke into the
medical records system at the
                      University of Washington Medical Center and gained
access to some 4,000
                      patient records--although these were not made
public.

                      What sets the Montana incident apart is the youth
of the patients, the amount of
                      detail disclosed and its placement on a public Web
site that allowed complete
                      access to private records.

                      The detailed accounts by therapists reveal
children suffering from all manner of
                      emotional problems:

                      "[She] has 'extreme mood swings' and is very
aggressive with her sisters and
                      other children," read one file about an 8-year-old
girl diagnosed with autism and
                      mental retardation. "She has been cruel to
animals, . . . often refuses to eat and
                      will make herself vomit."

                      An 8-year-old boy was described as suffering from
"anger outbursts, gender
                      identity issues" and bed-wetting.

                      Raymond Ford, the University of Montana technology
manager, said the
                      incident is under investigation. "We have no
evidence that this was malicious--all
                      the evidence that we have suggests that the person
who uploaded [the patient
                      files] probably had no idea what [he was] doing,"
he said.

                      But once the records were placed on the school's
Web server, a computer that
                      manages its online files, they became available to
Internet search engines and
                      were visible to casual Web surfers who requested a
keyword contained in a
                      patient's record.

                      For example, a search for "confidential" or
"neuropsychological" turned up
                      dozens of these medical records. Those files could
then be copied to the
                      computer of any visitor.

                      Therapists whose patients were involved were
stunned by the lapse.

                      "I'm shocked. I have no idea how this can happen.
Obviously, this information
                      is confidential, and we go to great lengths to
keep it confidential," said Bonnie
                      Carlson-Green, a psychologist at Children's
Hospital in St. Paul, Minn., the
                      source of some of the patient records.

                      Ford said the university will attempt to tighten
its Web security, but that it must
                      depend on users' vigilance and care to restrict
private materials.

                      Medical records experts said the university has an
ethical obligation to inform the
                      patients' parents.

                      "The least the [university] can do is contact the
families and let them know that
                      there was this error and the steps they've taken
to correct it," Borenstein said.

                      "There should be special privacy protections for
all medical records, even more
                      special protections for disclosure of any
psychiatric records," because of a real
                      threat of discrimination against people whose
treatment for mental illness
                      becomes known, Borenstein said.

                      Borenstein fears that fewer people will seek
treatment if they think their private
                      information may be accidentally disclosed.

                      Many psychiatrists are so concerned about
inappropriate electronic disclosure of
                      medical reports that they write only cryptic
comments in patient records, trusting
                      the rest to memory, Borenstein said.

                      David Aronofsky, the University of Montana's
attorney, said accidental online
                      releases of private legal or medical information
are not unusual and are corrected
                      quickly.

                      Patients and medical institutions have not been
contacted about the release of
                      these records. They will be contacted if it seems
necessary, after the internal
                      investigation is concluded, Aronofsky said. "We're
not understating the
                      significance of what happened here, nor are we
trying to cover it up," he said.

                      Fiona Anderson, a University of Minnesota
psychologist whose patient records
                      were among those released online, said the records
may have been removed
                      against her institution's rules.

                      "As things become more electronic and more easily
accessed . . . edited and
                      altered, it's difficult for our ethical rules and
guidelines to keep up with the
                      technology," she said.

                      But such victims of accidental disclosures face
steep legal challenges to gain
                      compensation, said Peter Swire, a law professor
who was chief privacy
                      counselor for the Clinton administration.

                      Part of the problem is new, more stringent federal
standards for medical records
                      privacy will not take effect until 2003, and state
regulations vary widely.

                      Posting a private document online--no matter how
injurious it may appear--can
                      cause legal liability only if the victim can prove
damages in court.

                      "What if one of the patients has something bad
happen to him or her as a result
                      of this disclosure--if they are turned down for a
job later in life?" Swire said.
                      "This is where you are open to a [legal] suit."

                      As more medical records are stored digitally,
routine electronic disclosure to
                      insurers and health maintenance organizations has
increasingly troubled some
                      clinicians and privacy advocates, although such
transfers are legal and often
                      required for provider reimbursement.

                      Paul Appelbaum, president-elect of the American
Psychiatric Assn., said patients
                      should be given the option of having their
information kept on paper.

                      A few health-care providers, such as the Harvard
Pilgrim HMO, offer such an
                      option.

                      The alternative for patients may be decreasing
control over their medical
                      histories.

                      Appelbaum added: "The mobility of electronic
information is almost unlimited."





More information about the cypherpunks-legacy mailing list