Human error to blame for Grady data breach
The Atlanta Journal-Constitution
Tuesday, September 23, 2008
Private medical records of Grady Memorial Hospital patients were made public on the Internet, in a way that has become an increasing concern to information security experts.
Human error — not hackers — apparently caused the medical records of 45 patients to make their way onto an unsecured Web site in July, where they remained for a few weeks, Grady officials said.
The records were thought to be on a secured Web site, but the site turned out to be unsecured and open to the public, officials said.
Grady has since made sure the information has been removed from public access, said Grady lawyer Timothy Jefferson.
At a time when more and more information is stored and moved electronically, often on Internet sites protected with passwords and firewalls, experts say they see an increasing amount of information inadvertently slip onto unsecured sites and become available to the World Wide Web.
"Very few keystrokes can make a system that is secure become unsecure," said Tom Dager, director of information technology at SecureWorks, an Atlanta information security firm. He said he is seeing more data breaches due to human error than from hackers.
The Grady data breach follows an incident earlier this year. WellCare of Georgia, a partnership between the state Department of Community Health and private health care management organizations, reported that the private records of 71,000 Georgia families who are members of the state health insurance programs were accidentally made available on the Internet for several days.
Any time private health information is made public, it is a potential violation of federal HIPAA regulations, the Health Insurance Portability and Accountability Act.
The Grady problem also speaks to the dangers of outsourcing work on such information, said Dager, the security expert.
The information on the 45 patients included doctor's notes on patients, and possibly names and ages of patients, medical conditions, diagnosis and medical procedures. It did not include Social Security numbers, patient addresses or any credit card information, said Grady spokeswoman Denise Simpson.
Grady outsourced the job of transcribing the notes to a Marietta firm, Metro Transcribing Inc., which outsourced the work to a Nevada contractor, Renee Lella. Lella, in turn, turned the work over to a firm in India, Primetech Infosystems.
Attempts to reach the firms in India and Nevada were unsuccessful Monday. Caroline Johnson, president of the Marietta firm, issued a statement Monday saying the breach was "totally unintentional. It was thought that the Internet site was entirely secure and it was not."
The problem was discovered when a Grady doctor performed a search of his name on Google, and found information on his patients, said Jefferson, the Grady attorney.
The Atlanta Journal-Constitution learned the details of the data breach from documents obtained through the state open records law. Hospital officials said they had initially been told that the patients information had been stolen. But further review revealed there was no theft — that the India firm had let the information slip onto the Internet, according to correspondence from Grady's legal firm, Alston and Bird, to the Marietta contractor.
Grady has notified the patients of the security breach and officials say there is no indication that patients suffered due to it.
Jefferson said Grady is close to hiring a separate contractor to transcribe these medical records, and that the contract will stipulate that the company does the work itself.
Staff researcher Richard Hallman contributed to this article.