AOH :: ISN-3190.HTM

Lost and found: info on 260,000 patients

Lost and found: info on 260,000 patients
Lost and found: info on 260,000 patients 

By Daniel Lee
daniel.lee (at)
October 25, 2006

Dennis Morris guards his personal information carefully.

The Beech Grove resident shreds documents containing his Social Security 
number. "It's just too easy to get somebody's information and cause them 
trouble," he said.

He wishes others were as vigilant.

Morris and about 260,000 Indiana and Illinois patients of Sisters of St. 
Francis Health Services-owned hospitals recently were notified that 
their personal information -- names and Social Security numbers -- had 
been potentially exposed.

An outside contractor working with the Mishawaka-based hospital system, 
which operates hospitals in Indianapolis and elsewhere in Indiana, 
inadvertently left compact discs containing the confidential 
patient-billing information in a new computer bag she purchased but 
later returned to a store.

The hospital and the contractor, Advanced Receivables Strategy, or ARS, 
say they don't believe patients' information was compromised.

Still, the incident raised the ire of potential victims and security 
advocates. It also raised unsettling questions about the security of 
people's sensitive information in today's computerized world.

"I think it's kind of moronic that someone would casually take this kind 
of information out of this place of business," Morris said. "It doesn't 
make any sense in this day and age."

St. Francis was notified of the problem in July, but it didn't send out 
letters to patients until recent days.

Kay Johnson, a St. Francis spokeswoman, said people were not notified 
sooner because the hospital wanted to thoroughly investigate the matter 
first, and that took time because it involved outside counsel and 
auditors making sure any notification was complete and did not violate 
privacy laws.

Computer security and privacy experts say such incidents are all too 
common among businesses and organizations handling personal information. 
Such incidents, they said, can be avoided if organizations have set 
policies in place, follow them and make sure that any outside 
contractors also adhere to those practices.

"Everybody's bad and everybody's sloppy," said Bruce Schneier, founder 
of Counterpane, a Silicon Valley computer security company.

In this case, it appears not all policies were followed for the handling 
of patients' information.

Johnson said the personal information on the discs was not encrypted, or 
electronically scrambled to keep unauthorized users from accessing the 
data. She said St. Francis and ARS have policies requiring that such 
data be encrypted.

The incident is the latest in a string of consumers having their 
sensitive information potentially exposed. Some are cases of hackers 
illegally gaining access to networks, but many others are simple cases 
of laptops or computer files being misplaced or stolen.

In this case, a Presbyterian minister who purchased the bag containing 
the CDs promptly notified St. Francis. As more and more health-care 
providers move to electronic medical records -- which often includes 
people's financial and medical information -- the stakes are high.

The CDs contained information such as names and Social Security numbers 
for about 260,000 patients and about 6,200 employees, board members and 
physicians associated with Sisters of St. Francis Health Services and 
Greater Lafayette Health Services.

In its letter to patients, ARS said it had notified the three major 
credit reporting agencies -- Equifax, Experian and TransUnion -- about 
the incident.

Nashville, Tenn.-based ARS also said consumers have a right to ask one 
of these agencies to place a fraud alert, which requires the agencies to 
provide consumers with a free credit report and future reports.

Although both organizations say they regret the mistake, neither is 
talking much about it.

"The letter clearly explains the situation, and we're very sorry for the 
incident," said Joe Cohen, a spokesman for ARS, which is owned by 
Texas-based Perot Systems Corp.

Experts, including Schneier, say it seems unlikely this incident would 
result in identity theft, given that the CDs were returned. Others 
worried about the time the CDs were unaccounted for.

"But it's really impossible to tell whether the information was 
breached," said Tena Friery, research director of the Privacy Rights 
Clearinghouse, a San Diego advocacy group. She pointed to the three-day 
lag from when the bag was returned to the store until it was purchased 
by the minister. The federal Health Insurance Portability and 
Accountability Act, or HIPAA, was designed to help protect people's 
medical privacy. However, Friery said, HIPAA does allow information to 
be disclosed to a hospital's business associates, ARS in this case.

"It doesn't require any oversight by the hospital for the data while 
it's in the possession of the person who's performing services for the 
hospital," she said.

Ira Winkler, a security expert, questioned the wisdom of such an 

"Why does a contractor have to download all that data to CDs and carry 
it around?" asked Winkler, author of "Spies Among Us," a book about risk 
management and corporate espionage. "When you have to deal with hundreds 
of thousands of people's identity information, you have to judge what is 
the risk. And the risk is too great to allow that volume of data to be 

Morris, the Beech Grove resident who received the warning letter, just 
hopes he can rely on the hospital's and vendor's assurances that theft 
of his identity was highly unlikely.

"Hopefully they're right," he said. "But how can I trust someone I don't 
know telling me, 'Don't worry.' . . . I won't feel comfortable for six 
months to a year."

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods