Because I am Here

Identity thieves use many tactics to gather sensitive personal information.  Some check your mailbox.  Others dumpster-dive.  But now a more sophisticated identity thief might be found slowly cruising medical park parking lots with a laptop.

Off work and out of school, I spent the week between Christmas and New Years, December 2006, taking care of a friend at Sibley Hospital.  During the long hours of sitting in the hospital and doctors’ offices, I tried to keep myself productive with my laptop, which proved surprisingly difficult without internet access. I scanned the 6th floor of the Hospital, and found 13 wireless networks, all of which were private and inaccessible.  That was understandable, but bad news for my productivity.

Many businesses have begun to recognize the increasing dependence their customers have on internet connectivity.  Consequently they, along with local governments and even hospitals and doctors offices now offer “Hot spots,” or areas of free internet access to patrons.  Complimentary internet access has even become an expectation in many places.

Down in the cafeteria, I began to wonder if all medical facilities were as careful as Sibley Hospital about securing their wireless networks.  After all, any time you mix open wireless networks with medical information, you run the risk of exposing confidential information protected by HIPAA, and privacy acts.

So, I decided to perform a survey of 76 casually selected wireless networks at hospitals and medical parks in Maryland and DC.  At the large hospitals I checked, public and private networks were carefully controlled.  However, networks in smaller medical parks, whose tenants are usually independent practitioners, showed far more security defects.

This trend is perhaps predictable, because hospitals maintain a staff of IT professionals, and have established IT procedures. In contrast, independent practitioners have small staffs and often outsource IT functions to people of varying skill.  When they outsource it to a non-professional, it can have a devastating effect on patient privacy.

Take Dr. Abulhasan Ansari’s office for example.  He treats adults and young adults in his Clinton, Maryland office.  While he was away on vacation in December 2006, a member of the office staff contracted with an outside IT “professional” to create a wireless network.  The network required no password, was not encrypted, and maintained all of the factory default settings.  The network was available to any member of the public with a laptop.  Though it is unclear whether it was intended to provide complimentary internet access to waiting patrons, it is clear that it was not intended to allow patrons to access confidential patient information.  But it didn’t turn out that way.

Sitting in my car, I opened my laptop. Once my laptop associated with Dr. Ansari’s network (named “linksys”), Windows XP automatically scanned it, and populated “My Network Places” with shared folders.  Unfortunately in Dr. Ansari’s case, these folders contained Access databases with confidential patient information, including names, SSNs, birth dates, and medical histories for his patients.  All of this information was available to anyone within 100 feet of the office with a laptop.  This meant that an identity thief could slowly cruise through the medical park parking lot, grab the Access databases with the patient data, and leave completely undetected, without stepping foot in the office.  Incidentally, the wireless router was also essentially open, which means that a thief could have hidden his tracks by erasing the router log.

After making this discovery, I entered the office and told the manager my findings.  At first, she insisted that the records were not theirs.  I displayed the access files on my screen and she confirmed that they were in fact, Dr. Ansari’s patients.  She insisted however, that since they “just recently” established the wireless network, no unauthorized person could have accessed the information in such a short time.  I don’t think she appreciated the irony of her statement, as she was viewing her patient data on my laptop.

I asked them whether they had any plans to notify the affected patients that their medical data had been potentially compromised.  Instead of answering the question, she said that they would simply disconnect the wireless router.  Once she disconnected the router, the files disappeared from my screen, and she promised to have the “professional” return and secure the network right away.

Exactly one week later, I visited the same medical park, and performed the same scan.  Dr. Ansari’s office had fixed their problem, but I was dismayed to find that one of their neighbors in an adjoining building had put up their own insecure wireless network in the intervening week.  They were closed at the time.

In all, I surveyed 78 medical wireless networks.  6 allowed access without a password, encryption, or other security bar.  Sibley Hospital, where I spent several days over the break, had at least two public wireless networks in the cafeteria.  They did not allow access to any internal network.  Four others, both in medical parks (not hospitals), allowed direct access to an internal office network, some of which contained confidential patient data in Excel files and physician dictations.

The most startling part of this exercise is that the percentage of insecure networks in my sample was nearly 8%.  A single breach by an identity thief can cause hundreds of thousands of dollars in damage, and adversely affect hundreds or even thousands of current and former patients.

Despite clear regulations set forth under the authority of HIPAA, new technology poses challenges to under-trained staff.  In addition, as demonstrated by this episode, there is a tendency to eliminate and hide mistakes (ie, turn off the router), rather than properly address the issue, or notify potentially affected individuals.

That policy is understandable, if regrettable, because often business owners don’t feel the need to “unnecessarily worry” their customers by announcing a potentially embarrassing security gaffe, when there is no hard evidence that anyone in particular accessed sensitive data, or an increased likelihood of harm.  It also regrettably creates an incentive for business owners to put their heads in the sand, so to speak, by not monitoring networks at all; after all, if you don’t collect data that could demonstrate whether a breach had occurred, you’ll never risk having to notify anyone of a breach.

So, next time you go to the doctor’s office, take your laptop, and be prepared to challenge your doctor’s information security procedures.  And keep an eye out for anyone cruising the parking lot with a laptop.

Long before Will Smith and Tommy Lee Jones hit the screen as intergalactic secret agents, the MIB was doing undercover work of a distinctly terrestrial nature. Amassing storehouses of medical information since 1902, the Medical Information Bureau maintains a sort of “Medical Credit Report” on roughly 20% of the United States population.

When you apply for life, health, or disability insurance, insurance companies collect information about factors that might affect your health or longevity, such as age, sex, drug or alcohol use, and other risk behaviors. There is a good chance that at one point or another, you have signed a waiver permitting an insurance provider to transmit this information to the MIB, which creates a record of the insurance findings.

Once stored in the MIB databases, participating MIB insurance companies may access your information in order to reduce insurance fraud. MIB stores these records for seven years, and some of their contents have been a closely held secret. Moreover, some of the information is inaccurate, which can cause major problems for some consumers. This arrangement has led privacy specialist Simson Garfinkel to refer to the MIB as the “official insurance agency gossip columnist.”

The MIB does not store medical test results, records, or X-rays. Though insurance companies are theoretically prohibited from rejecting insurance coverage based upon information in the MIB report, some evidence suggests insurance companies do just that.

So what does your MIB report say? The Fair Credit Reporting Act requires the major credit bureaus to offer one free credit report to consumers annually. However, the Act specifically does not apply to medical records. After some pressure from the FTC in the early 80’s, the MIB has agreed to offer consumers one free MIB Disclosure per year.

Not everybody has an MIB record, but ironically, in order to find out whether you’re in the system, you must become part of the system. The rather stern voice of MIB’s automated phone system warns that failure to provide a broad range of personal information to MIB, will terminate the call. You are asked to “certify under penalty of federal law,” the following information:

• Your Social Security Number (SSN)
• Your Last Name
• Your First Name
• Your Middle Name
• Any Other Previous Surname
• Your Date of Birth
• Your Birth Place
• Your Occupation
• Your Current Address
• Your Telephone Number

So, even if your personal information was not in their databases before you called, it will be once you call. Neither the automated phone system nor the website, www.mib.com, indicates how your personal information will be used, how long it will be stored, whether it becomes a part of your MIB report, or whether it will be shared with insurance companies.

I called the MIB Disclosure Report number (866-692-6901) and reluctantly provided the information. About one week later I received a letter from MIB: “Using the identification information provided as a part of your request to MIB, we have made a thorough search of our records… and cannot find any information.”

Great. Now the MIB had all of my personal information, and I didn’t have anything to show for it.

So I called customer service (781-751-6003), and requested that they purge my personal information from their database. A nice woman with a thick Boston accent answered the phone, and I learned a lot about their data retention policies.

When a consumer calls the Disclosure Report number, her information is divided into two files. Most of her identifying information is entered into a database, and tagged with a unique reference number. Then her SSN is placed in a text log file with the same reference number. Both data sets are stored indefinitely, and the MIB representative could not detail a regular policy of purging either.

MIB uses a person’s name, birth date, address, etc. to 1. Search for matching records, and 2. Make sure the person hasn’t requested a report within the last 12 months. But MIB representatives insist that they do not use the text file with the SSN for anything except to ensure that you are the one requesting your MIB record.” In other words, the MIB inappropriately uses the SSN as a proof-of-identity. This is yet one more reason why your SSN should stay out of others’ hands—to prevent medical impersonation.

Since the MIB claims not to use the SSN for any reason except “proof-of-identity,” I suggested that they re-think their data-retention policy, and purge the text log on a regular basis. The supervisor gave me a dubious reply, “Well I’m sure they have their reasons for keeping [the SSNs].” I didn’t ask who “They” were, or what “their reasons” might be; it was clear she didn’t know. And I doubt that I could have talked to “Them” if I had asked, anyway.

I requested that they purge my SSN from their text log. After a long and good-humored conversation, the representative agreed to do me a favor and delete my SSN. However, it was clear that I was an exception to the rule.

My report and accompanying podcast on the Medical Information Bureau piqued the interest of the MIB’s Vice President/ General Counsel, who contacted me directly. He asserted that they do have a data retention schedule, but that the policy is proprietary and confidential, and may vary based on a number of statutory and subjective factors. Citing another unpublished “proprietary” document, he also promised that MIB does not share any information collected over the phone with insurance companies.

Be sure to do your own cost-benefit analysis before ordering an MIB report. On one hand, the report is very helpful if you were recently turned down for insurance, or if your premiums seem abnormally high. On the other hand, you must yield some very sensitive data to MIB. Regardless, if you have not applied for life, health, or disability insurance within the past seven years, your MIB report will look like mine—empty.

www.mib.com Medical Information Bureau Site
(866) 692-6901- Consumer MIB Record Disclosure
(781) 751-6003- MIB Customer Service