Coroner reports breach of security

Los Angeles County coroner’s officials said Wednesday that they have discovered security breaches involving the investigation into Michael Jackson’s death, including hundreds of improper views of the pop star’s death certificate and the discovery of weaknesses in two other computer systems in which more sensitive records are stored.

At least half a dozen staff members inappropriately accessed Jackson’s death certificate, officials said. Within two weeks of his death June 25, the certificate had been viewed more than 300 times. The document was not released publicly until July 7.

In some cases, coroner’s staff appear to have printed copies before it became public. This month, coroner’s officials warned employees to cease in an e-mail reviewed by The Times.

“There’s only one person in the investigation of Mr. Jackson who needed to have a copy of the death certificate, and that was the investigator,” said Craig Harvey, chief coroner’s investigator.

Harvey called any access of the Electronic Death Registration System for personal use “not appropriate.”

In a July 9 e-mail, a coroner’s captain told staff that future abuses of the system would result in disciplinary action. Employees were told they could look up cases “strictly in the performance of your official coroner duties,” the e-mail stated. Staffers who had printed copies of the death certificate were advised to destroy them.

Harvey, who said the e-mail was sent at his direction, learned that employees were inappropriately accessing Jackson’s death certificate after he received a tip alleging that a funeral home employee had created a fake death certificate for Jackson in the computer system.

Death records in the Electronic Death Registration System can be accessed by anyone with a state-issued password, including employees at coroner’s offices, funeral homes, hospitals and the county and the state registrar’s office. Passwords are supposed to be changed every 60 days and users agree to “ensure the integrity, security, and confidentiality” of the records.

No fraudulent death certificate was found, but Harvey did discover that employees who had no role in the investigation had looked at Jackson’s record. Harvey said he has not contacted any law enforcement agency about the employees’ actions, saying he believed that internal rules, and not any laws, had been broken.

A spokesman for the California Department of Public Health, which oversees the computer system, said his agency plans to contact L.A. County officials today after reading about the incidents on latimes.com.

“We would want to investigate and determine whether there had been a violation of the user agreement,” said Ken August, a department spokesman based in Sacramento.

Coroner’s officials in L.A. said they also grappled with security concerns about two other password-protected computer systems that hold the active investigation files on Jackson’s death.

Typically, such reports can be called up by investigators and other employees with system passwords. In Jackson’s case, however, access was supposed to have been restricted from the start to a small number of high-ranking administrators. Harvey said the hard copy of the investigation file was stored under lock and key.

After the investigation started, officials discovered vulnerabilities in the computer systems that might have allowed employees unauthorized access, Harvey said. He declined to say what those weaknesses were.

“We took extra steps to plug those holes,” he said.

Despite the discovery, Harvey said he had no indication that the investigation records had been viewed by unauthorized personnel. He also said he had no reason to believe any confidential coroner’s information had been leaked or sold to the media.

“Not a chance,” he said. “This thing was locked down, and only a limited number of people had keys.”

Harvey said he believed the employees who viewed the death certificate did so with no ill intent.

“I think it was out of curiosity,” he said, calling the breach “an anomaly” and “an isolated incident” due to the attention the Jackson case has drawn.

“In my 23 years at the coroner, I have never seen anything to compare to the level of interest, inquiry and attempts to get information,” Harvey said.

--

molly.hennessy-fiske@latimes.com