Hacker Targets Files at Medical Center

A hacker gained access to confidential medical information at the University of Washington Medical Center, using the Internet to download thousands of files containing patient names, conditions, home addresses and Social Security numbers, hospital officials said.

The break-in is one of the most penetrating breaches of medical privacy in memory. Specialists say it demonstrates the increasing vulnerability of confidential records as the health-care system rushes to computerize files and make them available via computer networks.

Working through a publicly available Web site, the intruder planted a software program to sniff out passwords for the school’s sprawling internal network. Then he assumed the identity of a legitimate computer user and tapped into two databases containing 4,000 or more patient records in May and June.

University officials in Seattle said Friday that they first determined that the center’s computers had been invaded in late June, but weren’t sure any electronic records had been taken until late Thursday, after a reporter sent them a copy of one record.

“I don’t think anything is secure anymore,” said John Carter, 60, of Kent, Wash., a heart-transplant patient and victim of the intrusion. A copy of his record contains details about medical procedures, his Social Security number, his height, weight and date of birth. “It’s nobody’s business unless I choose it to be someone’s business,” Carter said.

Edwin Gould, another heart patient whose records were accessed, said he worries that some people might lose their jobs or insurance if their conditions became public. “Sometimes the consequences of having your medical records revealed could cost you a great deal,” said Gould, 65, of Seattle. “It’s really bothersome to feel that there’s so little security.”

The hacker was motivated by a desire to publicize weak security at the hospital, not selling or misusing the records, said the online journalist who first disclosed the incident this week.

The hacking incident also underscores how fragile data protections become when people with little training in security link computers or networks containing sensitive records to the Internet. Officials at the medical center acknowledged that the hacker exploited just this kind of arrangement.

They described the case as a criminal act and on Thursday referred it to the FBI.

Tom Martin, the director of information systems at the medical center, acknowledged that poor security procedures and the growing nexus of databases there made the intrusion easier for the hacker.

Martin said a Web site in the health-sciences department of pathology, which served as the platform for the hacker, previously had about as much security as a computer dedicated to history or literature, even though it was linked to databases containing patient records. The university has improved security, Martin said, but challenges remain.

“Your whole network security is only as good as its weakest link,” said Martin. He added that before the improvements, the center’s network was like “a party line” that allowed the hacker’s computer program to lie in wait for passwords and user names. Now the system does a better job of blocking access to unauthorized users, he said.

“We need to continue to be vigilant about this, because the types of technologies change and so do the types of attacks,” Martin said.

Janlori Goldman, director of the health privacy project at Georgetown University, said the episode shows that the health-care system should slow down its use of computerized records.

“Right now we’ve got a huge push to put patients’ medical records online so that doctors, hospitals and health plans can quickly and cheaply share information,” Goldman said. “It is irresponsible to go forward without strong and enforceable privacy and security laws, which we don’t have at the federal level yet.”

New federal rules governing the security and privacy of electronic medical records have been mandated by Congress but won’t take effect until 2003.

The computer break-in was made public Wednesday by Kevin Poulsen, an online journalist who has served time in prison after pleading guilty to computer crimes.

He described the man he says broke into the medical center’s files as a 25-year-old security expert from the Netherlands who uses the name Kane. He declined to provide additional details, but said the hacker approached him, through intermediaries, a little more than a week ago.