By Daniel Lee
daniel.lee (at) indystar.com
October 25, 2006
Dennis Morris guards his personal information carefully.
The Beech Grove resident shreds documents containing his Social Security
number. "It's just too easy to get somebody's information and cause them
trouble," he said.
He wishes others were as vigilant.
Morris and about 260,000 Indiana and Illinois patients of Sisters of St.
Francis Health Services-owned hospitals recently were notified that
their personal information -- names and Social Security numbers -- had
been potentially exposed.
An outside contractor working with the Mishawaka-based hospital system,
which operates hospitals in Indianapolis and elsewhere in Indiana,
inadvertently left compact discs containing the confidential
patient-billing information in a new computer bag she purchased but
later returned to a store.
The hospital and the contractor, Advanced Receivables Strategy, or ARS,
say they don't believe patients' information was compromised.
Still, the incident raised the ire of potential victims and security
advocates. It also raised unsettling questions about the security of
people's sensitive information in today's computerized world.
"I think it's kind of moronic that someone would casually take this kind
of information out of this place of business," Morris said. "It doesn't
make any sense in this day and age."
St. Francis was notified of the problem in July, but it didn't send out
letters to patients until recent days.
Kay Johnson, a St. Francis spokeswoman, said people were not notified
sooner because the hospital wanted to thoroughly investigate the matter
first, and that took time because it involved outside counsel and
auditors making sure any notification was complete and did not violate
Computer security and privacy experts say such incidents are all too
common among businesses and organizations handling personal information.
Such incidents, they said, can be avoided if organizations have set
policies in place, follow them and make sure that any outside
contractors also adhere to those practices.
"Everybody's bad and everybody's sloppy," said Bruce Schneier, founder
of Counterpane, a Silicon Valley computer security company.
In this case, it appears not all policies were followed for the handling
of patients' information.
Johnson said the personal information on the discs was not encrypted, or
electronically scrambled to keep unauthorized users from accessing the
data. She said St. Francis and ARS have policies requiring that such
data be encrypted.
The incident is the latest in a string of consumers having their
sensitive information potentially exposed. Some are cases of hackers
illegally gaining access to networks, but many others are simple cases
of laptops or computer files being misplaced or stolen.
In this case, a Presbyterian minister who purchased the bag containing
the CDs promptly notified St. Francis. As more and more health-care
providers move to electronic medical records -- which often includes
people's financial and medical information -- the stakes are high.
The CDs contained information such as names and Social Security numbers
for about 260,000 patients and about 6,200 employees, board members and
physicians associated with Sisters of St. Francis Health Services and
Greater Lafayette Health Services.
In its letter to patients, ARS said it had notified the three major
credit reporting agencies -- Equifax, Experian and TransUnion -- about
Nashville, Tenn.-based ARS also said consumers have a right to ask one
of these agencies to place a fraud alert, which requires the agencies to
provide consumers with a free credit report and future reports.
Although both organizations say they regret the mistake, neither is
talking much about it.
"The letter clearly explains the situation, and we're very sorry for the
incident," said Joe Cohen, a spokesman for ARS, which is owned by
Texas-based Perot Systems Corp.
Experts, including Schneier, say it seems unlikely this incident would
result in identity theft, given that the CDs were returned. Others
worried about the time the CDs were unaccounted for.
"But it's really impossible to tell whether the information was
breached," said Tena Friery, research director of the Privacy Rights
Clearinghouse, a San Diego advocacy group. She pointed to the three-day
lag from when the bag was returned to the store until it was purchased
by the minister. The federal Health Insurance Portability and
Accountability Act, or HIPAA, was designed to help protect people's
medical privacy. However, Friery said, HIPAA does allow information to
be disclosed to a hospital's business associates, ARS in this case.
"It doesn't require any oversight by the hospital for the data while
it's in the possession of the person who's performing services for the
hospital," she said.
Ira Winkler, a security expert, questioned the wisdom of such an
"Why does a contractor have to download all that data to CDs and carry
it around?" asked Winkler, author of "Spies Among Us," a book about risk
management and corporate espionage. "When you have to deal with hundreds
of thousands of people's identity information, you have to judge what is
the risk. And the risk is too great to allow that volume of data to be
Morris, the Beech Grove resident who received the warning letter, just
hopes he can rely on the hospital's and vendor's assurances that theft
of his identity was highly unlikely.
"Hopefully they're right," he said. "But how can I trust someone I don't
know telling me, 'Don't worry.' . . . I won't feel comfortable for six
months to a year."
Visit the InfoSec News store!