Nearly eight months after new rules were enacted requiring stronger protection of health care information, organizations are still leaking such data on file-sharing networks, a study by Dartmouth College's Tuck School of Business has found.
In a research paper to be presented at an IEEE security symposium Tuesday, a Dartmouth College professor Eric Johnson will describe how university researchers discovered thousands of documents containing sensitive patient information on popular peer-to-peer (P2P) networks.
One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.
While some of the documents appear to have been leaked before the Obama administration's Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted, many appear to be fairly recent. A previous study by Dartmouth in 2008 also unearthed files containing health-care data floating on P2P networks, such as Limewire, eDonkey and BearShare. Among the documents found in that study was one containing 350MB of patient data for a group of anesthesiologists and another on patients at an AIDS clinic in Chicago.
The fact that many organizations are still leaking such information on file-sharing networks is surprising, said Johnson, professor of operations management at Dartmouth and one of the paper's authors.
The HITECH Act, which went into effect last September, requires any organization handling health-care data to implement stronger controls for protecting it. The law also requires such organizations to publicly disclose data breaches involving patient health information within 60 days of the discovery of a breach. The law also significantly expands the number and kinds of organizations that are required to comply with the federal law on patient privacy known as HIPAA (the Health Insurance Portability and Accountability Act). The law also provides for stiff penalties for noncompliance with these requirements.
The fact that sensitive patient health information is freely available on P2P networks suggests that many organizations are still not paying enough attention to security, Johnson said.
How the data gets leaked
Data leaks on P2P networks typically occur when file-sharing software from P2P sites such as Limeware and eMonkey is improperly installed on a computer that contains sensitive data. Usually, the file-sharing software is installed on a computer to share music and video files. In many cases, however, users configure the software improperly, and all the data on the computer becomes visible and available to all other users on the P2P network.
Such lapses have led to major data leaks on P2P networks over the past few years. Some of the more high-profile examples include the leaking of sensitive details on the President Obama's Marine One helicopter last year and another incident where documents detailing Secret Service safe houses for the first family were found on a P2P network.
Businesses also have been burned by such leaks, including one breach involving personal information on 17,000 employees at pharmaceutical company Pfizer Inc.. Such leaks have prompted lawmakers to consider new rules limiting the use of P2P software on government networks. Another bill is aimed at getting software developers to make their P2P software safer.
In the Dartmouth study, researchers wanted to study the impact that passage of the HITECH Act would have on the amount of health-care information available on P2P networks, Johnson said. To find out, researchers looked for documents containing specific health-care related keywords on several P2P networks. Each of the files returned in the search was then inspected for the presence of health-care data and rated on a three-point scale based on the sensitivity of the data.
The research showed that health data was as easily accessible on P2P networks as it was before the bill was enacted. More than 20% of the documents contained information that would be considered protected under HITECH rules. Even more disturbingly, the data often was found in unprotected spreadsheets and Microsoft Word documents, suggesting that many organizations are not adequately protecting the data, Johnson said. In many cases, the entities leaking the data were not even aware of the fact, he said.
"Most of the time there is a lot of disbelief and stalling that goes on," when an organization is first informed about a P2P data leak, Johnson said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.