POLICY: Florida HIV mystery raises questions, by John Pluenneke

A little
more than thirty days ago, a statistician at the Palm Beach Department of
Health accidentally sent out an internal email containing a list with the names
of more than 6,000 local residents with HIV and AIDS. Officials immediately shut down and scrubbed
the county network. Relieved supervisors
praised the rapid response of the county IT department, which
was able to eliminate all of the offending emails within 10 minutes. A lot of
people – including me – wondered how they could be so sure the problem had been
solved that easily. 

A month
later it looks as though somebody has gotten their hands on the list.  One by one,  mysterious letters have begun turning up at
the homes of people with HIV/AIDS across Florida. Not surprisingly, many of those people are
upset and quite understandably concerned that the  information could travel further.
The director of the Palm Beach County health department calls the
incident “medical terrorism” and says the letters remind her of the 2001 anthrax
attacks.  That may well be a little

Like the
Kaiser Permanente story, the Palm Beach debacle has been
largely ignored by the media in the early going.  The issues the incident raises, however, are very
similar. How safe are patient  medical records, really?  What use are expensive network security
systems when human error can easily bypass their defenses?  If recent trends are any indication, these
cases are only the tip of the iceberg.  That
should be very worrying.

HIPAA was designed, at least in part, to prevent this kind of problem. The real
question at this point seems to be how effective is it really going to be at doing its job?  A little over a month from now, we’ll have a
very good idea.

County health officials in Palm Beach are arguing – in
the way officials often do – that last month’s email incident and this latest
problem are a complete coincidence.  That
boggles the imagination. Such coincidences just don’t happen. The
story itself
is made a little more interesting by the fact that the letters do not
appear to
be at all threatening. The problem is that they reveal information they
shouldn’t. Whoever is sending them appears to be motivated by a desire
to reach to the HIV/AIDS community and to simply have not thought
through his or her plan
very well.  This is one to follow.

Livongo’s Post Ad Banner 728*90

Categories: Uncategorized

Tagged as: ,

Leave a Reply

5 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
5 Comment authors
Personal Health RecordsceraJohnnewbiewonkLinkmeister Recent comment authors
newest oldest most voted
Personal Health Records

Personal Health Records allows patient to provide doctors with valuable health information that can help improve the quality of care that patient receives. Personal Health Records can help to reduce or eliminate duplicate tests and allow you to receive faster, safer treatment and care in an emergency and helps to play a more active role in yours and your loved ones’ healthcare.


So… why hasn’t anyone tried to contact the person sending the letters? What content do the letters contain? The article says that the letters are not threatening, and merely constitute an outreach attempt — did someone manage to buy a list of local HIV/AIDS diagnosees? This could indicate, it seems to me, that the list passed out of the hands of one of the people involved and into the hands of someone buying lists. Indeed, it might /not/ be related to this incidence. … But one should hope that Hipaa compliance would be stronger than that. In my experience with… Read more »


Good point Newbie Wonk! That’s precisely the point I’m arguing in my post. I’m not saying these questions need to be studied; as you point out, they already have been. But not many people in the world at large are aware of that fact, because not very many people know much about the issues involved. Which means the issue will be brought up again. And again. And again … Three months from now, I think it safe to guess that we’ll be hearing the same questions asked in Washington and in the media after another one of these leaks. And… Read more »


“How safe are patient medical records, really?  What use are expensive network security systems when human error can easily bypass their defenses?” Patient medical records are at best, minimally safe. Computer security (and non-computer real world physical security) needs to be process driven, not product driven. It doesn’t matter if you use the world’s greatest firewall or the most secure encryption algorithm. If someone writes down their password, or an insider wishes to steal information, or if someone simply isn’t trained in security procedures, then the party’s over…security is compromised. The idea cited above (about computer security being process driven) comes… Read more »


If I were a spokesman for the county I’d say you’re making a post hoc ergo propter hoc argument, but that would be spin. The coincidence is too great.