File-sharing networks used to uncover thousands of medical records

Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems.

Using peer-to-peer applications, which computer users download to share files, most commonly music and movies, M. Eric Johnson, director of the Center for Digital Strategies at Dartmouth College in Hanover, N.H., was able to access electronic medical records on computers that had the peer-to-peer programs stored on their hard drives. The medical files contained detailed personal data on physical and mental diagnoses, which a hacker could use to not only embarrass a patient but also to commit medical fraud.

One of the largest stashes of medical data Johnson discovered during two weeks of research he conducted in January was a database containing two spreadsheets from a hospital he declined to identify. The files contained records on 20,000 patients, which included names, Social Security numbers, insurance carriers and codes for diagnoses. The codes identified by name four patients infected with AIDS, the mental illnesses that 201 others were diagnosed as having and cancer findings for 326 patients. Data also included links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.

"Each of these constituents was exposed in this disclosure," Johnson wrote in a paper on the subject he presented at a conference on Feb. 23. "The exposure of sensitive patient health information may be most alarming to citizens."

Johnson's conclusions come amid Obama signing the economic stimulus package, which funneled $19 billion to agencies to help fund a nationwide health information network that the government plans to use to provide every American with an electronic health record by 2014.

The stimulus bill contains more than 30 pages of requirements to tighten the security of the health information, but Deborah Peel, founder of health advocacy group Patient Privacy Rights, based in Austin, Texas, said Johnson's study shows that "the idea that data contained in a health IT system can be secure and safe is a fantasy."

Peel, a psychiatrist, said the findings indicate that the supporters of a national health IT system are engaged in "wish fulfillment" rather than reality when it comes to system security. She said egregious data breaches of the kind Johnson discovered will lead trial lawyers to sue over such breaches.

"Over the next several years we are going to see major breaches in health IT systems," said Tom Hughes, who ended his tour as the Bush administration's chief information officer at the Social Security Administration, which is running a pilot health IT program.

The federal government has suffered numerous breaches because of peer-to-peer programs. In June 2008, at least 1,000 patients from Walter Reed Army Medical Center had their health records and Social Security numbers compromised. And Congress has held hearings on the problem, including one in July 2007, when the House Oversight Committee learned that military documents, including classified documents, were readily available for download on popular peer-to-peer networks.

Johnson said in an interview with Nextgov that it was not difficult to find patient records or medical databases using peer-to-peer networks such as Limewire, which is widely used to share music files. Using a search service provided by Tiversa Inc., a peer-to-peer forensic analysis firm in Cranberry Township, Pa., he searched the top 10 publicly traded health care companies as listed in the 2007 Fortune 500. Johnson found 3,328 files and documents, and eliminated nonsensitive material such as brochures, publicity material and medical text. That left 161 files containing sensitive health care information linked with personal identifiers.

The peer-to-paper file search also uncovered a spreadsheet from an AIDS clinic with personally identifiable information on 242 patients including address and Social Security numbers, psychiatric evaluations from a mental health clinic and a 1,718-page document from a medical testing laboratory containing patient names, Social Security numbers and diagnosis codes. Johnson said he discovered these files on a computer belonging to a collection agency.

While Johnson started his search with large hospitals, the decentralized nature of peer-to-peer networks and the fragmented nature of the health care industry meant that sensitive medical information that started at a hospital could end up in system run by insurance companies, medical laboratories or even collection agencies.

The basic technology that runs peer-to-peer networks inadvertently exposed the files probably without the computer user's knowledge, Johnson said. A health care worker might have loaded patient files onto a laptop, for example, and taken it home where a son or daughter could have downloaded a peer-to-peer client onto laptop to share music.

Once the client is installed, Johnson said in most cases it exposes every file on a computer's hard disk to anyone on the file-sharing network. Many corporations and federal agencies prohibit employees from installing peer-to-peer clients, but employees routinely ignore the policy because employees want to obtain the free music, even though the songs are copyrighted, said Scott Harrer, brand director for Tiversa.

The company conducts 1.5 billion searches a day on peer-to-peer networks for clients and uncovers a range of sensitive financial, operational and health care information every day. "Listening to free music carries a high price," he said.

The Homeland Security Department funded Johnson's research to demonstrate the need for better security in health IT systems.