HEMORRHAGING DATA: A team of Dartmouth researchers found peer-to-peer (P2P) networks littered with sensitive health care information inadvertently made available by employees of hospitals and other health care facilities, as well as their collection agencies and other business partners. Image: ©ISTOCKPHOTO.COM/PALI RAO
If Pres. Obama has his way, the medical records of every American will be digitized by 2014. The stimulus package (read the text here) includes $19 billion in funding to pay for the effort and calls for the appointment of a chief privacy officer to advise the U.S. Department of Health and Human Services on how best to protect this sensitive information. If a new study of how easily your medical records can be found online by others is any indication, the new chief privacy officer (to be appointed over the next 12 months) will have his work cut out for him because an increase in digital medical records would likely mean an increase in medical identity theft.
Using software written specifically for scanning Internet-based peer-to-peer (P2P) file sharing networks, Eric Johnson, an operations management professor at Dartmouth College's Tuck School of Business in Hanover, N.H., and colleagues recently found confidential medical files, involving thousands of people, including patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. (The same type of information could have been found without the special search software, although not as quickly because the researchers would have had to search individual computers on each of the P2P networks they visited.)
Johnson's team found the data by trolling P2P networks such as Gnutella, FastTrack, Aries and e-donkey. (A visit to the eDonkey2000 Network indicates it is no longer available.) The leaked information came from the heath care organizations themselves, their employees working remotely, and from businesses that perform billing and other services for these organizations. "Our goal was to see the kinds of information that was leaking out, and P2P was simply a window into those organizations," says Johnson, who will present his findings on Monday at the Financial Cryptography and Data Security '09 conference in Barbados.
In P2P people share information stored on their computers with other people on a particular network, a practice first made popular by the music-swapping service Napster. Often, P2P users must download software on their computers that allows others to search their computer for different files. Allowing other P2P users to access your computer, however, means dropping your defenses (including firewalls meant to keep out snoopers and hackers).