DATA BREACH: UNFORTUNATE, BUT NOT UNFORESEEABLE
Our state’s Prescription Monitoring Program (PMP) recently suffered a data breach. It appears that the private prescription information of at least 34 patients was accessed by an unauthorized person for unknown reasons. Perhaps identity theft is involved, but there could be other motives, including identifying potential people to steal drugs from, simple snooping, or even blackmail. At a minimum, the privacy of these patients has been invaded.
Of course, such data breaches are far too common these days, affecting organizations large and small, across all industries and governments. This year alone, there have been close to 600 such breaches—affecting over 20,000,000 records—according to the Privacy Rights Clearinghouse, and that almost certainly is an incomplete list. So perhaps we should cut the PMP some slack, and accept breaches as inevitable.
Or not. The ACLU submitted comments multiple times while the program and its regulations were in development, suggesting several items that are directly relevant to this breach. We specifically warned about the possibility of “authorized” medical personnel using the system to snoop on patients. Regrettably, the PMP chose not to follow any of our suggestions.
While the ACLU-WA opposed adoption of the program, once it became clear that the program was moving forward we sought to limit the damage to privacy. Here are the relevant provisions we recommended—and continue to recommend—to prevent future breaches, or to mitigate the harm from them:
1) Authenticate physicians before allowing access. It appears that the PMP allows online creation of a physician account by simply entering a little information about the physician—and that information is not hard to obtain. As best we can tell, this breach was caused by an unauthorized person claiming to be a physician and creating an account. Better authentication would avoid such a problem. The PMP could either require the provision of more identifying information which is harder to obtain. Or better yet, it could require a two-step process whereby the physician initially sets up an account, but does not gain access until the PMP sends a confirmation and temporary password to an address (physical or email) the state already has on file for the physician.
2) Require physicians to demonstrate a physician-patient relationship before providing information. The PMP allows any physician to obtain information on any patient in the state, whether or not the physician has a relationship with that patient. This is an invitation to snoop. Although it’s not clear from the announcement of the current breach, it is quite possible that the patients affected were not actually patients of the physician whose identity was used to set up the account. If a physician-patient relationship needed to be demonstrated, there would be much less value in hijacking a physician’s account, since that would still give access to information on only a limited number of patients.
3) Require detailed audit logs for each instance of access. The PMP chose not to include a requirement for audit trails in the regulations. It would appear that the PMP has some level of logging, which may have helped detect this breach. But whatever auditing exists apparently doesn’t extend to recording all accesses to personal information, or the PMP would be able to determine exactly whose information had or had not been examined. We believe complete audit logs should be required, both to deter wrongdoing and to determine the exact extent of any inappropriate access. Furthermore, those logs should be available to any patient, so the patient can determine whether somebody other than one of their own physicians has accessed the patient’s records.
4) Specify strong penalties for misuse. The statute that created the PMP provides an unspecified “civil penalty” for improper use. Unfortunately, the PMP chose to limit its penalties to termination of an improperly used account and filing a complaint with health authorities. Neither of these sanctions is particularly meaningful to the wrongdoer in the current case, who is likely not a physician. Nor do they provide any compensation to the people whose privacy was invaded. We urged the PMP to instead clarify the “civil penalty” in its regulations, providing a strong penalty for misuse and allowing patients to independently sue a wrongdoer for damages. That would help deter wrongdoers, and also allow aggrieved patients to receive some compensation if their information was improperly accessed.
Let’s hope that the Prescription Monitoring Program will now take a closer look at not only computer security, but the entire framework of access to this sensitive medical information. Although 34 patients have already been harmed, there is still the opportunity to make the changes the ACLU has long advocated for and protect thousands of other patients.