Florida privacy breach leads to tighter security

CDC considers new computer security measures

A preliminary investigation of Florida’s HIV surveillance system has found that the state has written confidentiality policies and procedures that meet federal requirements. However, the Centers for Disease Control and Prevention is considering recommending nationwide changes in computer security and surveillance personnel hiring practices following a much-publicized confidentiality breach this summer.

"In light of this incident, we are looking not only at programs in Florida but also security practices across the country," says John Ward, MD, director of AIDS surveillance for the CDC.

Three months after a list of 4,000 Florida AIDS patients was either misplaced or stolen, the CDC has completed an initial on-site review of Florida’s surveillance system and is making recommendations for ways to improve existing procedures. A Florida criminal investigation of the incident is not yet complete, but what CDC officials know so far is that a computer disk belonging to a state AIDS surveillance case worker was found in the parking lot of a bar. The disk, which contained a list of the names of 4,000 AIDS patients, was copied and sent to the Tampa Tribune, which gave the disk to law enforcement authorities.

Whether the disk was stolen or simply misplaced is not yet known, says Ward. The case worker was an experienced employee who actually had written the software for the surveillance program that case workers use in their laptop computers when they go out into the field, he adds.

The timing of the confidentiality breach could not have been worse for Florida officials. After years of political battles, the state legislature passed an HIV names-reporting law that will go into effect next year. The law will require public health care providers to report the names of patients diagnosed with HIV to the state’s AIDS surveillance branch so it can better track the epidemic. Indeed, some health officials have speculated that the incident was politically motivated to postpone or thwart the law’s implementation, says Mark Magenheim, MD, medical director of the Hospice of Southwest Florida in Sarasota.

"Having thought that Florida worked very hard with all the high-tech kind of security, there are now a number of emotional responses in many people in the system," he says.

In Florida, specifically, Magenheim recalls the architectural changes undergone at his health department to build a locked vault with barred windows and numerous security measures.

"Even I as the [then-health department] director couldn’t enter this room. It had a separate locked computer, locked file cabinets, and only two people were allowed inside, and both had to be in at the same time," he says.

CDC officials say the measures Florida and other states have taken to ensure security of HIV surveillance records have lead, until now, to an impeccable record of keeping this information secure. Nonetheless, AIDS activists always have feared that lists of names sooner or later would get into the wrong hands. This isn’t the first breach in confidentiality, and many are concerned it will happen again.

"People in the HIV community are terrified of lists. They can’t help it, and we can’t help it," Neil Schram, MD, an AIDS physician for Southern Permanente Medical Group in Harbor City, CA, told Ward at a recent CDC meeting. "Hopefully it won’t happen again. But please understand the terror in the community when you talk about compiling lists."

With the advent of laptop computers, however, case workers have taken electronic copies of records out during field investigations (as opposed to paper). Rather than a high-tech security failure, the incident in Florida may have been simply a low-tech case of a misplaced disk.

How to solve that problem is one of several recommendations the CDC is considering for all state surveillance systems. One solution may be to hire a computer security expert who will assist each state in changing computer security procedures, such as safebooting and removing disk drives.

Other recommendations may include:

• reductions in the number of personnel with access to surveillance records;

• changes in hiring and training personnel with access to surveillance data (i.e., requiring background checks);

• reductions in the number of electronic and paper records with patients’ names on them. The CDC has found that some county and state health offices had two or more paper copies of lists. Copies would be limited, or personal identifiers would be removed from them.