Georgetown University Hospital suspended a trial program with an electronic prescription-writing firm last week after a computer consultant stumbled upon an online cache of data belonging to thousands of patients, Wired News has learned.
The leaked information included patients' names, addresses, Social Security numbers and dates of birth, but not medical data or the drugs the patients were prescribed, says Marianne Worley, a spokeswoman for the Washington, D.C.-based hospital known for providing emergency care to the nation's most powerful political figures.
The hospital had securely transmitted the patient data to e-prescription provider InstantDx. But an Indiana-based consultant accidentally discovered the data on InstantDx's computers while working to install medical software for a client.
"The initial investigation has found that no patient demographic data was inappropriately used," says Worley, who says between 5,600 and 23,000 patients were affected. She added that the hospital learned of the breach when Wired News contacted it last week.
E-prescribing allows doctors to write and renew drug prescriptions electronically and transmit them to participating pharmacists for fulfillment. The Georgetown trial had been under way for less than eight months, and involved fewer than 10 doctors.
The breach highlights the liabilities of sharing private medical records with third parties as the industry crawls toward electronic record keeping. A survey by the Centers for Disease Control and Prevention released last week found only about 24 percent of doctors used some electronic health records in 2005, and only 11 percent had gone entirely digital.
The Bush administration has set a goal that most Americans have electronic health records with privacy protection by 2014 -- and electronic prescription-writing is the killer app, says Peter Swire, a law professor at Ohio State University and former Clinton administration privacy czar.
"E-prescribing is a leading sector for electronic health records," says Swire. "Improper medication lists are by far the biggest source of medical errors -- there's drug-interaction problems, there's incorrect dosage problems. The single biggest saving from e-health is from e-prescriptions."
The incident also underscores increasing exposure for security professionals who discover and report flaws. Bug-finders have recently lost jobs or faced criminal prosecution for going public with their discoveries, and the incident, with certain details obscured, was the topic of a brief but lively debate on the risks and rewards of disclosure in the computer security community.
Maryland-based e-prescription firm InstantDx was quick to accept responsibility for leaking the Georgetown file. The company wouldn't say whether other hospitals and doctors' offices were represented in the vulnerable files, but said that its systems have been secured. InstantDx chairman and CEO Allan Weinstein describes the incident as "a one-time quirk."
The consultant responsible for the discovery, Goshen, Indiana-based Randall Perry, says bad security practices contributed heavily to the incident. Perry says he accessed the data using a password he discovered hard-coded into a popular medical practice application, where any moderately skilled user could retrieve it.
"This is just security through obscurity," says Perry. "My home network is probably 10 times more secure than what they have set up over there."
Called Medisoft, the application is an all-in-one medical office suite marketed to small practices, and capable of handling everything from patient appointments to sending out bills. According to the product website, it's used by 70,000 health care practitioners worldwide.
Amber Virgillo, spokeswoman for Per-Se Technologies, Medisoft's maker, wouldn't comment on the incident, but insists the company's products meet "high security standards."
The issue emerged when Perry configured a new laptop for a small doctors' office, and encountered problems downloading software updates for Medisoft. In search of a work-around, Perry dove into the software's components, where he found an internet address, a login name and a password for a server operated by InstantDx, a Medisoft partner.
Using the password, Perry connected to the server with a file transfer program and listed the contents of the directory -- hoping to find the software updates that prompted his digital sleuthing, he says. Confounded by the obscure file names that popped up, he executed a command that sucked down the entire contents of the directory -- which he describes as 2 GB of files.
When he looked at one of the files, titled GUHmedpts.csv, he was shocked to see thousands of entries for patients in the Washington, D.C., area -- far from his client's office. He Googled "GUH," found it was a common abbreviation for Georgetown University Hospital.
Georgetown University Hospital does not use Medisoft, but did use InstantDx's prescription system.
"It slowly evolved -- what it really was -- and that came to a very somber reality," Perry says. "It's a huge breach.... I wasn't even trying, so how about the people who are trying?"
Uncertain how to proceed at a time when companies and government prosecutors are increasingly willing to go after people who identify security holes, Perry sought advice July 3 from the Full Disclosure computer security mailing list -- an unmoderated, freewheeling forum shared by hackers and security professionals.
In an anonymous post that omitted the name of the hospital and companies involved, and deliberately misstated some of the details, Perry fretted about the potential consequences of telling Per-Se or InstantDx about the problem. "And if these companies are notified, what happens?" he wrote. "A slap on the wrist? Wash it under the rug and label the person discovering it all to be a Black Hat?... In the end, I feel bad for the ... people who can be totally raped of their identities.... But, why should I be the scapegoat for pointing out that the Emperor has no clothes?"
The message ignited a fiery debate over the July 4 holiday, with varying and conflicted advice: He could report the discovery anonymously, but InstantDx's server logs would quickly identify him. Some urged caution. "Don't waste your time," one poster advised. "At this point you risk being arrested and blamed for this finding, rather (than) commended (for) finding it."
Nearly two weeks later, in the early morning hours of July 16, Perry called the InstantDx help desk. "Randall called our call center at 2:30 in the morning on Sunday," says CEO Weinstein. "And our call center ... immediately notified the technology team."
The company says it acted quickly to take the GUHmedpts.csv file off of the server.
InstantDx attorney Robert Hudock, an e-health specialist at the Washington, D.C., firm Epstein Becker & Green, says two separate weaknesses conspired to create a security hole for a brief period of time, and that no malicious activity resulted. He emphasizes that Perry couldn't have accessed the data if he hadn't gone poking around in Medisoft.
"Randall is the only player in the deck here," says Hudock. "He was entrusted with a secured copy of the application that had been appropriately licensed and installed, and he was working ... (as) a consultant for this particular physician.
"This vulnerability wouldn't have happened if the consultant to the physician had stuck to his responsibilities as a business associate of the physician," says Hudock.
Mark Rasch, vice president of Solutionary and a former Justice Department cybercrime lawyer, says the company's response smacks of killing the messenger.
"One of the biggest problems you have is people inadvertently stumble upon security vulnerabilities, and frequently it's because they're trying to get their job done," says Rasch. "And what we do now is say, 'He did something wrong. He shouldn't have been there. Let's go after him.' How does that encourage people to report vulnerabilities and get them fixed? What they should do is give him a $10,000 finder's fee."
Reached for a follow-up interview Monday, Perry said he could no longer discuss the incident, having signed nondisclosure agreements with the hospital and InstantDx.
"It seems like they're trying to blame me for this, and it's left a very bad taste in my mouth for the whole experience," he says. "If I found something again, I doubt very much that I'd ever report it. It's not worth it."
Swire says the leak of customer information might run afoul of HIPAA, the federal electronic medical record keeping law, but that the organization in charge of enforcing the law's privacy protections has not been fiercely active.
"There's over 20,000 HIPAA complaints to (the Department of Health and Human Services), but zero civil enforcement actions so far," says Swire. "If HHS refuses to enforce the law, then medical organizations will be less careful with patient data.... I believe that will make it harder to do the next shift towards electronic medical records."