P2P networks rife with sensitive health care data, researcher warns

Jaikumar Vijayan reports on the issue of p2p exposures compromising the security and privacy of health data:

Eric Johnson didn’t have to break into a computer to gain access to a 1,718-page document containing Social Security numbers, dates of birth, insurance information, treatment codes and other health care data belonging to about 9,000 patients at a medical testing laboratory.

Nor did he need to ransack a health care facility to lay his hands on more than 350MB of sensitive patient data for a group of anesthesiologists or to get a spreadsheet with 82 fields of information on more than 20,000 patients belonging to a health system.

In all instances, Johnson was able to find and freely download the sensitive data from a peer-to-peer file-sharing network using some basic search terms.

Johnson, a professor of operations management at the Dartmouth College Tuck School of Business, did the searches last year as part of a study looking at the inadvertent hemorrhaging of sensitive health care data on Internet file-sharing networks.

The results of that study, which are scheduled to be published in the next few days, show that data leaks over P2P networks involving the health care sector pose a significant threat to patients, providers and payers, Johnson said.

Read more on Computerworld

About the author: Dissent

2 comments to “P2P networks rife with sensitive health care data, researcher warns”

You can leave a reply or Trackback this post.
  1. Anonymous - February 1, 2009

    The health data “leaks” reported in the Dartmouth study below would NOT be reported to the victims because the HIT stimulus bill exempts “inadvertant” breaches from the reporting requirement. Only “willful” breaches have to be reported. But Americans need to know about ALL breaches, not just the few, rare “willful” breaches.

    The current version of the HIT bill is not adequate to address the P2P problems the Dartmouth researcher found:

    • “The information found on the networks originated from health care companies, suppliers and patients, and included sensitive patient health and identity information, insurance and billing data, and business documents. The data found on P2P networks included medical diagnoses and psychiatric evaluations, and even blank, signed prescription forms that anyone could have easily copied and filled out.”

    If you care about YOUR privacy or that the ‘breach notice’ in the HIT stimulus bill has been gutted, please call your members of Congress on Monday. Congress wants the Stimulus package on President Obama’s desk to sign in the next 2 weeks.

    Deborah C. Peel, MD
    Founder and Chair

    Patient Privacy Rights


    Our mission is to ensure Americans control all access to their health records.

  2. Anonymous - February 1, 2009

    Are you aware that EPIC.org says on its web site that ” Patient Privacy Rights has expressed support for the legislation. ” ?

    I agree that all breaches need to be reported, and wish more people would contact their legislators to say that we want and need strong breach notification and disclosure laws (and not just for HIT).

Comments are closed.