Dissent, over at PHIPrivacy.net, posted a link to Hello GovernmentCare, Goodbye Personal Privacy by Warner Todd Huston today.  The subtitle to the piece is, “A vote for Obamacare is a vote to give away your personal, private medical information.” 

In addition to the increased risk of medical identity theft that the rush to government controlled health care and the mandate for electronic health records will bring as previously noted on this blog, there are significant privacy issues that are not currently being addressed sufficiently.  Huston’s piece examines a portion of that concern.  Here’s the start of the commentary:

Do you want your government to know that you have bowel troubles? Do you mind if the president can discover if you have erectile disfunction? Would you be out of sorts if your local Congressman could discover if you’d had an abortion? How about if your state comptroller’s office or your governor could discover if you’d had breast implants? Well, a vote for Obamacare is a vote to give away your personal, private, maybe embarrassing medical information.

Do you think this is a silly claim? Well, don’t. In the newly released Obamacare plan, section 3102 titled “Financial Integrity” makes provision for state and federal governments to be able to investigate any medical care provider at any time. This provision gives government the right to look at any record that a doctor has in his files and that means your private medical information. Worse, they may do so without court approval, without a warrant, with no cause stated.

Please read the full piece and think about the path this country is headed down when the government takes over health care.

In a small but significant victory in the battle to regain control of Social Security numbers, the New Jersey Supreme Court ruled this week that a data broker seeking 8 million pages of real estate documents is not entitled to the Social Security numbers contained within the documents and that the broker must pay for the redaction of the numbers from the documents.

Showing an appropriate level of sensitivity to the increased threat of identity theft associated with the unwarranted distribution of Social Security numbers, the Chief Justice of the Court specifically cited the possibility of identity theft in the written opinion.

According to the New Jersey Star Ledger:

The court unanimously agreed that the documents, requested by a business that wants to sell electronic access to this information, are public records under the state’s Open Public Records Act. But it stressed some of the personal information, if released, would hurt residents.

“The request was made on behalf of a commercial business planning to catalogue and sell the information by way of an easy-to-search computerized database. Were that to occur, an untold number of citizens would face an increased risk of identity theft,” Chief Justice Stuart Rabner wrote for the court.

Bergen County officials called the decision a victory for all New Jersey residents concerned about identity theft.

“While the public has a right to public records, the public also has a right to privacy of personal information,” said County Executive Dennis McNerney.

In my opinion, the court has struck the correct balance between satisfying the public’s right to know as codified in the Open Public Records Act, while also protecting the privacy of personal information that can be used by identity criminals. 

It is refreshing to see that courts across the country are taking the threat of identity theft – resulting from personal information contained within public documents – seriously.  This is a great trend that has been slowly developing over the last ten years.

May that trend continue.

The Federal Trade Commission announced that it has approved a Federal Register notice seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached.

The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. Among other things, the Recovery Act recognizes that there are new types of Web-based entities that collect or handle consumers’ sensitive health information. Some of these entities offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information. Others provide online applications through which consumers can track and manage different kinds of information in their personal health records. For example, consumers can connect a device such as a pedometer to their computers and upload miles traveled, heart rate, and other data into their personal health records. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained.

To address these issues, the Recovery Act requires the Department of Health and Human Services to conduct a study and report, in consultation with the FTC, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. This study and report must be completed by February 2010. In the interim, the Act requires the Commission to issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached. The proposed rule the Commission is announcing today is the first step in implementing this requirement.

In keeping with the Recovery Act, the proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

The Commission vote approving issuance of the Federal Register notice was 4-0. The notice will be published in the Federal Register shortly, and is available now on the FTC’s Web site as a link to this press release. Public comments are being accepted through June 1, 2009, after which the Commission will issue a final interim rule. To file a public comment, please click on the following link: https://secure.commentworks.com//ftc-healthbreachnotification and follow the instructions at that site.

Text of the Federal Register Notice.

For more see the FTC’s web site.

FTC Chairman Jon Leibowitz told a data security workshop on Monday that the United States and other countries must “move beyond the ‘we agree to disagree’ approach” to securing consumers’ sensitive information in the global marketplace. Such harmony among nations, which have varying privacy rules and regulations, is “not beyond our reach,” Leibowitz said, pointing to the Organization for Economic Cooperation and Development’s 1980 privacy guidelines and a set of security guidelines adopted by the group in 2002. “Without adequate data security there really is no privacy,” he said.

Corporations must protect their back doors from hackers, malware, spyware and other high-tech intrusion mechanisms and protect their front door by properly storing and disposing of consumers’ data, Leibowitz said, noting that the FTC is “not shy about knocking on anyone’s door.” Since 1999, the agency has brought a number of cases alleging that companies failed to protect data, including a settlement this month with a consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves.

See the full report at National Journal Online.

As arguments swirl over online privacy, a new survey indicates the issue is a dominant concern for Americans.

More than 90 percent of respondents called online privacy a “really” or “somewhat” important issue, according to the survey of more than 1,000 Americans conducted by TRUSTe, an organization that monitors the privacy practices of Web sites of companies like I.B.M., Yahoo and WebMD for a fee.

When asked if they were comfortable with behavioral targeting – when advertisers use a person’s browsing history or search history to decide which ad to show them – only 28 percent said they were. More than half said they were not. And more than 75 percent of respondents agreed with the statement, “The Internet is not well regulated, and naïve users can easily be taken advantage of.”

See the full report at The New York Times.

Public opinion and debate have been intense over government economic recovery spending, estimated to exceed one trillion dollars. Yet few appreciate that the cost of sensitive consumer information that is lost, stolen or inappropriately accessed exceeds a trillion dollars annually.

Dr. Joseph Campana, author of a new data breach study, said, “We pay for information losses in higher prices, higher taxes, requests for more donations as well as through the personal inconveniences and costs of dealing with identity theft and privacy violations when our information is misused.”

The three major sectors — private, public and volunteer — were considered in the comprehensive data breach study released today by J. Campana & Associates. Breaches were analyzed by sector and subsector with respect to sector populations, breach incidents, profiles compromised, breach types, sources of breaches, and other key characteristics.

The Private Sector makes up 94% of all enterprises in the U.S., and the study reports it accounts for 37% of the reported incidents. In contrast, the Public Sector composes less than 1% of all U.S. enterprises yet it accounts for 55% of all breaches.

According to the study, the disparity can be explained by examining who is reporting the data breaches. Generally, large and medium size organizations are doing almost all of the reporting. Few reports are made by small organizations.

For example, the smallest units of local government comprise more than 90% of government yet this subsector only reported one breach in four years. Either most small organizations do not handle sensitive information, they have exemplary information security or they are not detecting or reporting data breaches.

Campana shared an anecdote, “A town manager told me if it comes down to information security or potholes, I’m filling potholes because that’s what taxpayers call me about, fixing potholes will get me re-elected.”

Mega Breaches accounted for less than 2.5% of the 1,100+ breaches considered over study period. They accounted for 85% (230 million) of all the profiles compromised. Campana says, “These are alarming but scarce events, which should not be viewed as average data breaches by the public. We need to be as or more concerned about what an average breach looks like and how to prevent them. There are more of them, and they can and will go undetected unless they are addressed.”

See the full report at emediawire.com.

In the name of combating child pornography, federal lawmakers are proposing that internet users’ online surfing habits be retained for two years.

The so-called “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2009,” or SAFETY Act, was floated in both the House and Senate on Thursday.

Among other things, it demands: “A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”

In short, if approved, everybody from employers to ISPs to coffee shops and universities would be required to keep logs of all data associated with IP addresses assigned randomly to individual users – from e-mail logins to search queries to sites visited, legal experts said.

See the full report at Wired.com.

Under his recently unveiled fiscal stimulus plan, President Obama seeks to invest up to US$20 Billion in federal funds to achieve widespread deployment of Electronic Medical Records (EMRs). A principal reason for his initiative is to improve our nation’s health care system by reducing long term costs and increasing effectiveness of our health outlays. So what exactly is an Electronic Medical Record and what does this new direction mean for security and privacy professionals?

See the full story at Computerworld.com.

The Institute for Health Freedom (IHF) is warning the public that the economic stimulus bill mandates the federal government to plan for each American to use “an” electronic health record (EHR) by 2014 — without opt-out or patient-consent provisions. This is a very serious breach of privacy and one I would hope will be overturned with time. Seems as though the government decided to not come up with a comprehensive plan but instead made sure that no matter what it is everyone will have to be a part of it. This would open up your complete medical records to over 600,000 healthcare providers, payment processors, and government health agencies without your consent. And no, HIPAA will not protect you from this. This kind of pervasive access to anyone’s health records screams of privacy and security concerns.

See the full report at NetworkWorld.com.

Hackers broke into the Federal Aviation Administration’s computer system last week, accessing the names and Social Security numbers of 45,000 employees and retirees.The agency said in a statement Monday that two of the 48 files on the breached computer server contained personal information about employees and retires who were on the FAA’s rolls as of the first week of February 2006.

The server that was accessed was not connected to the operation of the air traffic control system and there is no indication those systems have been compromised, the statement said.

“The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information,” the statement said. The agency said it is providing a toll-free number for employees “who believe they may be affected by the breach.”

Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials told unions representing agency employees at a briefing Monday that the second breached file with personal information contained encrypted medical information.

See the full report at The Associated Press.