Jackson case raises new privacy fears

In the days before Michael Jackson’s death certificate was made public, only a few people had legitimate reason to view the file in the state’s password-protected database.

Even after the document was released, access was supposed to be limited to authorized staffers.

But by the first week in July, the pop star’s records had been viewed more than 300 times, said Craig Harvey, the chief coroner’s investigator.

On Friday, Los Angeles County Sheriff’s Department officials launched an investigation into whether coroner’s employees leaked or sold confidential information related to Jackson’s case after The Times reported that at least half a dozen employees had improperly viewed his death certificate online.

Coroner’s officials also told The Times that they had discovered weaknesses in two other computer systems that hold sensitive investigation records but said they had fixed the vulnerabilities and do not believe unauthorized people had accessed reports.

Los Angeles County supervisors, who asked the sheriff to investigate, are also calling for the county auditor, who had already launched an unrelated audit of the coroner’s office, to specifically examine possible leaks.

“We need to get that environment under control,” Supervisor Mark Ridley-Thomas said.

With the final autopsy results still pending for Jackson, who died June 25, the high media attention surrounding the case has raised a new round of questions about safeguarding celebrities’ electronic records.

Even before reports surfaced of unauthorized views of Jackson’s death certificate, supervisors had expressed concern about possible leaks at the coroner’s office after seeing detailed reports about the Jackson case in tabloids.

Coroner’s officials had reassured supervisors during a private meeting earlier this month that the information did not come from their office.

In addition to a criminal inquiry, state health officials who oversee the Electronic Death Registration System said they were looking into whether coroner’s employees should be sanctioned.

“We have not decided what sorts of actions might be taken,” said Ken August, a spokesman for the California Department of Public Health.

It remains unclear who beyond the coroner’s office may have accessed the records and whether such use was appropriate.

August said it was too early for him to say how many people inappropriately viewed Jackson’s death certificate or where they worked, but said he had no indication of “widespread, inappropriate access.”

Harvey said he could not comment about who might have accessed the Jackson death certificate other than his staff.

Harvey also said he could not comment on how the coroner’s office monitors the system’s security, calling it “a personnel matter.”

Supervisors have issued warnings to employees who viewed the Jackson file improperly, in accordance with county civil service discipline guidelines for first-time offenders, Harvey said.

August said state officials have not increased security for the electronic records system in response to the high interest in the Jackson case.

“We need to learn more about who accessed the records and what they did with them,” he said.

August said that since death certificates eventually become public -- as Jackson’s did July 7 -- the breach was of less concern than recent cases of hospital employees reviewing confidential patient medical records.

“The law looks at death records in a different way than the law looks at hospital records,” August said.

was created in 2005 and can be accessed only by those with state-issued passwords.

More than 4,800 employees at coroner’s offices, funeral homes, hospitals and county and state registrar’s offices are authorized to use the system.

But not all of them would have had access to Jackson’s record, state officials said.

Access is restricted based on a user’s location and job. For instance, funeral home and hospital employees can generally access death certificates handled only by their office.

Coroner’s and county registrar’s employees are restricted to deaths that occurred in their county.

State registrar employees would have access to the entire system.

The issue of unauthorized people looking at the electronic records of celebrities has vexed the state. California health regulators fined Kaiser Permanente’s Bellflower hospital $437,500 this year for failing to prevent employees from snooping in the medical records of Nadya Suleman after she gave birth to octuplets.

It was the first such fine under a state law enacted last year after widely publicized violations of patient privacy at UCLA Medical Center involving Farrah Fawcett, Britney Spears, California First Lady Maria Shriver and other celebrities.

Of the 23 Kaiser employees who improperly accessed medical records, 15 were fired or resigned.

Privacy experts say that California officials have tightened loopholes in the law concerning private records but need to be more aggressive in both monitoring use and enforcing penalties.

“If you really want to tell the people who work for you how serious it is for them and confidentiality is key for their jobs, there really ought to be a zero-tolerance policy,” said Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, based in Washington and San Francisco. “They knew what they were doing was wrong.”

--

molly.hennessy-fiske@latimes.com