Researchers extract personal health information from computers purchased from second-hand vendors
Globe and Mail
October 5, 2007 at 6:45 AM EDT
A new study raises disturbing questions about the security of medical records that are increasingly being stored on computers.
Canadian researchers were able to extract personal health information from used computers they purchased from second-hand vendors. The computers had not been properly stripped of their data before they were resold.
"Some of the data we found was very startling - and very personal information," said Khaled El Emam, who led the study at the Children's Hospital of Eastern Ontario Research Institute and the University of Ottawa. The data included information about mental health, addictions, drug prescriptions as well as medical correspondence.
In some cases, the original owners had kept data about their own medical conditions. But in other cases, the computers were used by health care workers - including employees and subcontractors - who may have worked at home on patient files.
For the study, the researchers randomly purchased 60 used disk drives from dealers in several provinces.
They were able to retrieve data from 65 per cent of them. Of these disk drives, 18 per cent contained personal medical information, according to the study published in the Journal of Medical Internet Research.
Dr. El Emam noted that simply deleting a computer file does not actually remove the data from the disk drive. "With special software, you can recover a lot of that stuff," he warned.
That means computers used for sensitive health information should be specially encrypted to prevent the data from being easily accessed by a new computer owner.
Or the drive itself should be destroyed rather than ending up on the second-hand market.
Dr. El Emam fears a security breach could undermine the public's confidence in the health care system. What's more, it could lead to medical fraud, with people getting medical treatment using stolen insurance identification numbers.
"We really have to be sure that personal health information, especially when it is entrusted to other people, is protected and not inadvertently disclosed in this way," he said.
Source: Globe and Mail,
http://www.theglobeandmail.com/servlet/story/RTGAM.20071005.wldose05/BNStory/Technology/home