Shostack + Friends Blog Archive

 

ChartOne, 3,851 SSNs+Medical Records, System Administrator

chartone.gif
On Aug. 1, UF was notified that a computer was stolen from ChartOne, a Boston-based firm that the Health Science Center contracts with to help manage medical records. In the laptop’s database were the names, Social Security numbers, dates of birth and medical record numbers for more than 3,000 patients spread over a wide area.

According to [UF Privacy officer] Blair, the problem began in late July, when a ChartOne employee in Gainesville reported trouble with a laptop computer. The company decided to send a new laptop by United Parcel Service, and loaded it with the information from the patient database before it was shipped.

On the bright side, the systems administrator didn’t load all of ChartOne’s customers on there.
From Missing laptop impacts patients of UF physicians in Gainesville.com.

In a letter to affected patients dated Aug. 8, UF Privacy Officer Susan Blair wrote, “Although the risk for anyone gaining access to and then using this information is low, reports of identity theft are often in the news.”

I read that and am stunned. Anyone who boots the computer before selling it will find this data. Will that be found by a practitioner of America’s fastest growing crime? Will someone decide to experiment, or just read 3800 medical histories?

There’s a database, which is protected (at best) by a Windows password. There’s probably an icon on the desktop, or at the top of the start menu labelled “ChartOne Medical database.” Proposed laws give companies the power to make bad, media-driven risk assessments like this, and then decide to lie by ommission.

In other encouraging news it seems that “ChartOne Automates Medical Record Requests for the U.S. Social Security Administration” [link to http://chartone.com/docsAdobe/pressReleases/SSAreleaseFinal.pdf no longer works] (Press release, PDF).

[Finally, I meant to add that had this involved more people, it would have the potential to be a Choicepoint- or Cardsystems-scale issue. The third-party nature of the data loss by a company that patients have never heard of, combined with the nature of the data, would have turned this into a firestorm.]