By Steve Twedt
April 14, 2007
A Web site containing Social Security numbers and other personal
information for nearly 80 UPMC patients was still accessible on the
Internet yesterday -- and computer security experts say the patients can
never be entirely assured the content will be gone.
"It is too late. Once something is on the public Web, the only
fundamentally safe security assumption you can make is that it is in the
public domain forever," said Art Manion, a computer security expert at
CERT, part of Carnegie Mellon University's Software Engineering
If a site is posted only a short time, if it's not popular, the chances
are lower, Mr. Manion said.
"But, fundamentally, once it is posted, you have lost control forever."
Yesterday, the Pittsburgh Post-Gazette was again able to view
confidential patient information included in former UPMC radiologist Dr.
Paul J. Chang's 2002 PowerPoint presentation on managing multimedia
The information -- now blocked -- was on a site operated by The Internet
Archive, a California-based nonprofit that operates as an Internet
library, archiving public Web sites that people can view for free.
"We've been collecting a snapshot of the World Wide Web every two months
since 1996," said Brewster Kahle, digital librarian for the Archive. "It
basically allows you to search the Web as it was."
Yesterday, UPMC officials said they already had contacted Internet
Archive about removing the information, an accommodation Mr. Kahle said
they were happy to make.
"We don't want sites in the archive that people don't want there. We're
not that type of organization."
On Thursday, the Post-Gazette first reported that personal information
-- which, in a few cases, included abdominal and chest scans, clinical
notes, and medical screenings as well as social security numbers -- had
been posted on the UPMC's Radiology Department Web site for about two
UPMC officials quickly disabled the site, which had been reachable in
four mouse clicks from the department's home page. While still
investigating how the patient confidentiality breach happened, John
Houston, UPMC's privacy officer, said he thinks the file was restored to
the site after the department got a new server for its computers.
When contacted earlier this week, Dr. Chang, now at the University of
Chicago, expressed surprise the information had been posted. He
speculated that someone inadvertently had downloaded it without checking
to see if it contained confidential patient information.
The medical center said it was notifying each of the patients by letter,
plus they are offering to pay a year's worth of credit protection
Mr. Houston said UPMC has contacted the major archive sites to remove
the information, as well as any other site where it might appear.
"It's not entirely perfect. Unfortunately, whether we like it or not,
it's the best solution we have."
As the Internet Archive example shows, however, the privileged patient
information may never be completely recovered and deleted.
The concern is that while established sites such as The Internet Archive
are willing to remove sensitive information, others with ill intent may
have been actively looking for it, say security experts.
"The level of interest in malicious hacking will depend on what kind of
information is there. If that information includes Social Security
numbers, or anything that is truly sensitive, then that information is
probably valuable to them," said Adriel Desautels, chief technology
officer for Netragard, a New Jersey-based information security company.
With the information being posted for up to two years, he said, "the
chance of it being harvested is nearly 100 percent."
Mr. Houston acknowledged that "the damage can never be completely
undone," and others may have downloaded the information before the sites
they've identified were taken down.
"You hope that, over time, the information becomes staler and staler,
and eventually they throw it away."
Subscribe to InfoSec News