Bob Brewin of NextGov reports:
In 2004, when Bush administration officials unveiled a project to provide every American with an electronic health record by 2014, they pledged to put privacy and security first. But the discovery in April of stolen health records containing sensitive medical information about U.S. patients on a computer server in Malaysia controlled by cyber criminals indicates such records so far do not pass the privacy and security test.
Ben-Itzhak said that in April, Finjan informed an FBI agent working at the National Cyber-Forensics and Training Alliance in Pittsburgh — a public-private partnership to share confidential information on cyber incidents — about the patient data the company discovered on the Malaysian server and provided the agent with log files from the computer.
Finjan also informed the Office of Civil Rights of the Health and Human Services Department, which is charged with insuring the privacy of patient information under the Health Insurance Portability and Accountability Act.
Nextgov asked both the FBI and HHS if they intended to notify patients that their data had been breached, but has yet to receive a reply.
Shortly after Finjan notified the FBI of the existence of the Malaysian server, Ben-Itzhak said the server went idle, a possible indication its operators became aware of FBI probes. Since then, Finjan has discovered three similar servers and is working to determine whether they contain purloined medical data.