The U.S. District Court for the Southern District of Illinois recently denied the retail grocery chain Schnuck Markets’ motion to dismiss various claims arising from a December 2012 data breach in which hackers gained access to Schnucks’ credit/debit card processing systems. By mid-March 2013, both customers’ banks and Schnucks’ own payment processor had notified Schnucks that the breach had resulted in fraudulent charges to customer cards.
VA OIG just reported that Palo Alto VA Health Care System unlawfully gave patient data to a private IT company despite employees not having cleared background checks.
The watchdog investigated allegations that the Palo Alto VA informatics chief entered into an illegal agreement with a health care company called Kyron.
VA OIG confirmed allegations that the patient data was given to Kyron prior to its employees getting background checks. It also confirmed that patient data was loaded into the Kyron’s extraction software prior to receiving approval from VA information security officers.
Alice goes to the hospital in the United States. Her doctor and health insurance company know the details ― and often, so does her state government. Thirty-three of the states that know those details do not keep the information to themselves or limit their sharing to researchers . Instead, they give away or sell a version of this information, and often they’re legally required to do so. The states turn to you as a computer scientist, IT specialist, policy expert, consultant, or privacy officer and ask, are the data anonymous? Can anyone be identified? Chances are you have no idea whether real-world risks exist. Here is how I matched patient names to publicly available health data sold by Washington State, and how the state responded. Doing this kind of experiment helps improve data-sharing practices, reduce privacy risks, and encourage the development of better technological solutions.
Results summary: The State of Washington sells a patient-level health dataset for $50. This publicly available dataset contained virtually all hospitalizations occurring in the state in a given year, including patient demographics, diagnoses, procedures, attending physician, hospital, a summary of charges, and how the bill was paid. It did not contain patient names or addresses (only five-digit ZIPs, which are U.S. postal codes). Newspaper stories printed in the state for the same year that contain the word “hospitalized” often included a patient’s name and residential information and explained why the person was hospitalized, such as a vehicle accident or assault. A close analysis of four archival news sources focused on Washington State activities from a single searchable news repository studied uniquely and exactly matched medical records in the state database for 35 of the 81 news stories found in 2011 (or 43 percent), thereby putting names to patient records. An independent third party verified that all of the matches were correct. In response to the re-identification of patients in its data, Washington State changed its way of sharing these data to create three levels of access. Anyone can download tabular summaries. Anyone can pay $50 and complete a data-use agreement to receive a redacted version of the data. However, access to all the fields provided prior to this experiment are now limited to applicants who qualify through a review process.
With little fanfare or formality, Adam Smith, associate professor of computer science and engineering in Penn State’s School of Electrical Engineering and Computer Science, and Vitaly Shmatikov, a professor at Cornell University, are going to try to tackle a looming issue that will, if it is not addressed, have consequences for just about anyone who has every used the Internet, sent an email, received medical attention or otherwise made his or her presence known on the Grid that is our online society.
When it comes to the highest court in Massachusetts, it sometimes seems like entire battles are won and lost in the footnotes. In a seemingly straightforward new case, the Supreme Judicial Court has managed to add a wrinkle on top of the already complicated patchwork of law surrounding cell phone location tracking. The court’s opinion today in Commonwealth v. Estabrook sets out what it calls a “bright-line rule” and reaffirms that, in general, the Massachusetts constitution requires a warrant for tracking a person’s location using cell site location information (CSLI). That’s worth celebrating, but cynical readers who are already wondering about the “in general” in the previous sentence should take a look at footnote twelve in the opinion. Meanwhile, all readers should probably buckle in for a somewhat detailed tale of judicial incrementalism.
This exception to the warrant requirement for CSLI applies only to "telephone call" CSLI, which is at issue in this case, and not to "registration" CSLI. "Telephone call" CSLI indicates the "approximate physical location . . . of a cellular telephone only when a telephone call is made or received by that telephone. "Augustine, 467 Mass. at 258-259 (Gants, J., dissenting). By contrast, "registration" CSLI "provides the approximate physical location of a cellular telephone every seven seconds unless the telephone is 'powered off,' regardless of whether any telephone call is made to or from the telephone." Id . at 259 (Gants, J., dissenting).