more than thirty days ago, a statistician at the Palm Beach Department of
Health accidentally sent out an internal email containing a list with the names
of more than 6,000 local residents with HIV and AIDS. Officials immediately shut down and scrubbed
the county network. Relieved supervisors
praised the rapid response of the county IT department, which
was able to eliminate all of the offending emails within 10 minutes. A lot of
people – including me – wondered how they could be so sure the problem had been
solved that easily.
later it looks as though somebody has gotten their hands on the list. One by one, mysterious letters have begun turning up at
the homes of people with HIV/AIDS across Florida. Not surprisingly, many of those people are
upset and quite understandably concerned that the information could travel further.
The director of the Palm Beach County health department calls the
incident “medical terrorism” and says the letters remind her of the 2001 anthrax
attacks. That may well be a little
Kaiser Permanente story, the Palm Beach debacle has been
largely ignored by the media in the early going. The issues the incident raises, however, are very
similar. How safe are patient medical records, really? What use are expensive network security
systems when human error can easily bypass their defenses? If recent trends are any indication, these
cases are only the tip of the iceberg. That
should be very worrying.
HIPAA was designed, at least in part, to prevent this kind of problem. The real
question at this point seems to be how effective is it really going to be at doing its job? A little over a month from now, we’ll have a
very good idea.
County health officials in Palm Beach are arguing – in
the way officials often do – that last month’s email incident and this latest
problem are a complete coincidence. That
boggles the imagination. Such coincidences just don’t happen. The
is made a little more interesting by the fact that the letters do not
be at all threatening. The problem is that they reveal information they
shouldn’t. Whoever is sending them appears to be motivated by a desire
to reach to the HIV/AIDS community and to simply have not thought
through his or her plan
very well. This is one to follow.