Searching P2P networks, the researchers, for example, found a government application for employment that included detailed background information, including the applicant's Social Security number, full name, date and place of birth, and mother's maiden name. Ironically, the document also included a three-page intro highlighting the Electronics Communications Privacy Act measures undertaken by the government to protect the information in the document. Still, "it somehow ended up on to a P2P network," adds Johnson, who is also director of the Dartmouth's Glassmeyer/McNamee Center for Digital Strategies.
P2P users—there were an estimated 10 million of them in 2007, according to an earlier study by Johnson and colleagues—generally think that, because they're just looking to share music, the rest of the files on their computers are off-limits, says Alan Paller, director of research for the SANS Institute. "But there are no defenses once you let someone inside your computer."
Over a two-week period last year, Johnson and his team used special P2P network analysis software developed by Cranberry Township, Pa.–based Tiversa, Inc., to search for information related to or mentioning the top 10 publicly traded U.S. health care providers, including two in Tennessee: Nashville-based Hospital Corporation of America, and Community Health Systems in Franklin, the latter of which in 2007 bought health care giant Triad Hospitals. When their searches turned up a file containing medical information on a particular computer, the researchers were able to use Internet Protocol (IP) addresses to trace that computer back to a particular location. In some cases, these files were located on computers connecting to the network from work, in others the computers were connecting wirelessly from homes, hotels or Starbucks.
In one case, Johnson and his team found two databases with detailed information on more than 20,000 hospital patients from the computer of a collection agency working for the hospital. Another search turned up a 1,718-page report with nearly 9,000 patient names, Social Security numbers, birth dates, insurers, group numbers and identification numbers. The researchers also found a pdf form for writing prescriptions that was blank, except for a doctor's signature at the bottom. "This document could be used for medical fraud by prescription drug dealers and abusers," Johnson noted in his report.