An unintentional leakage online of 300,000 California residents’ health records has shone more light on this emerging security threat.
Identity Finder, an ID theft prevention company, performed a Web search in May that found documents exposing 300,000 names and Social Security numbers of Californians who had applied for workers' compensation benefits.
Although this particular breach emanated from a private company’s website, this incident and others should prompt public-sector officials to also re-examine the technology and policies they have in place to prevent data loss, said Identity Finder CEO Todd Feinman in e-mail correspondence with Government Technology on Tuesday, Aug. 23.
“Regardless of health information, non-public data or other sensitive information, exposures like this are a wake-up call to public sector,” Feinman said in an e-mail. “[Governments] need to periodically search their own systems for sensitive information and request reports or audits from business associates about their data inventory, security policies and procedures.”
Agencies should try to prevent the problem by performing searches of health data on their own systems and using data loss prevention software, he said. Taking these additional steps can help prevent data leaks before information is accidentally exposed online or stolen by hackers, Feinman said.
Alan Paller, the director of research for the SANS Institute (SysAdmin, Audit, Network, Security), said a misconception among those in public-sector health care is that electronic health records that aren’t connected to the Internet are safe from data leaks.
“The lesson that they ought to learn is that as long as the computers that are holding those health records are connected to your network at all and other computers on the network are connected to the Internet, those records are at risk,” Paller said.
According to Identity Finder, the information from last spring’s data leakage incident in California was accessible online through a website by Southern California Medical-Legal Consultants Inc. (SCMLC). Identity Finder notified the company the same day of the data exposure, and within minutes SCMLC has restricted file access to the exposed documents, which Feinman said he was told contained data from state government files on workers’ compensation beneficiaries.
“Unfortunately our internal security policies and procedures were not followed,” SCMLC President Joel Hecht said in a statement released in June. We were notified, we took immediate steps to remediate the situation and we are taking long-term measures to ensure that nothing like this ever happens again.”
Government Technology magazine called and e-mailed SCMLC for further comment, but the company didn’t respond by press time.
Californians are by no means the only population that’s experienced the exposure of electronic health data. In 2006, a laptop containing sensitive information of more than 26 million veterans was stolen from a U.S. Department of Veterans Affairs employee’s home. Although the laptop was found and investigations showed the data in the equipment had not been hacked, the incident raised new concerns over records security.