[IP] Stupidity and data security in Colorado

To: Ip ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] Stupidity and data security in Colorado
From: David Farber <dave@xxxxxxxxxx>
Date: Thu, 26 May 2005 19:03:40 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <6b9a699283d7b48eda7cf95fe58ff675@xxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Liz Ditz <ponytrax@xxxxxxxxxx>
Date: May 26, 2005 3:47:20 PM EDT
To: David Farber <dave@xxxxxxxxxx>
Subject: Stupidity and data security in Colorado


For IP if you wish.   From the Rocky Mountain News
==========================

Health agency demotes staffer after breach
Computer holding private data stolen

By Bill Scanlon, Rocky Mountain News
May 26, 2005

A [Colorado] state health department worker who took medical recordshome and left them overnight in a car - which was then stolen - hasbeen demoted.

Colorado's chief medical officer, Dr. Ned Calonge, said the employeeviolated department rules by taking the laptop computer home for theweekend.

It contained the records of 1,600 children involved in a federalstudy of autism, a study that parents of those children were madeaware of only after the theft became public. Some parents wereoutraged over the security breach and the fact that they hadn't beeninformed that their children were part of a research program. "Weunderstand the parents' concerns and are taking this seriously,"Calonge said.

The car was recovered but the laptop was gone. Calonge doubts thethieves were interested in specific data in the laptop or that theencrypted records have been decoded. The main problem, he said, wasthe security breach.

The [Colorado] State Board of Health has decided that autism shouldbe a "reportable disease," putting it in the same category asinfectious diseases such as whooping cough, tuberculosis and the flu,Calonge said.

The federal Centers for Disease Control and Prevention wants to findout what causes autism and whether it is truly on the rise, orwhether it's just being reported more often. Eighteen states areparticipating in the study, which asks such questions as age of onsetand whether the condition has been confirmed.

Autism usually appears in early childhood and is characterized bypoor social interaction, and communication and behavioral problems.

"It fits into the category of diseases where we want to dosurveillance activities to understand more about the condition,"Calonge said.

It's important to attach a name to the health records to assure thereare no duplicates, he said.

Although the [Colorado] autism records included the children'snames, the panel that reviewed each case to determine if thecondition was in fact autism didn't see the children's names, Calongenoted. Only employees of the Colorado Department of Public Health andEnvironment had access to the children's names, and they are underorders not to let the information leave state buildings.

The only exception is when a member of the surveillance team is goingto an off-site clinic the next morning. Then, he or she haspermission to take a laptop home - but only on a weeknight, not forthe weekend, as the employee in this case did.

Also, the employee shouldn't have left the laptop in a carunattended, he said.

Calonge said relatively few parents have complained about the breach.That, and the facts that the information likely wasn't decoded andthat there's a backup record of the information, makes him hopefulthat Colorado can continue its participation.

Nonetheless, the incident spurred CDPHE to upgrade its encryptionsoftware and to re-examine its confidentiality procedures, Calonge said.


"We can't do our work if we can't assure confidentiality," he said.

The department "may very well change our policy" and start informingparents when their children are part of a program involving anoninfectious disease, he said. [Colorado] Health officials saysurveillance of infectious diseases is vital and can't wait forparental consent. If a child gets whooping cough, for example, it'simportant the child's school is notified and that steps are taken toprevent an outbreak, they said.

Still, balancing privacy rights and public health is always thedepartment's goal, Calonge said.

"We're looking at how we can continue to work at improving the healthof the population, while being sensitive to parent concerns aboutconfidentiality," he said.


scanlon@xxxxxxxxxxxxxxxxxxxxx or 303-892-2897



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Minnesota court takes dim view of encryption
Next by Date: [IP] more on Banking Alert (fwd)
Previous by thread: [IP] Minnesota court takes dim view of encryption
Next by thread: [IP] more on Banking Alert (fwd)
Index(es):
- Date
- Thread