Medical Data, Breaches of Unsecured Information, and Privacy Implications

Stanford Hospital and Clinics is the latest to report a massive breach of privacy, in which private medical information for 20,000 people was posted online and publicly available for over a year, as reported by the New York Times.

It’s worth thinking about the role of privacy, and privacy law, in terms of civil rights and the protections we can expect in regards to medical data, as well as the layered nature of the legal rules and institutions currently in place to ensure these protections.

The Health Information Technology for Economic and Clinical Health (HITECH) Act (Public Law 111-5, section 13402) was part of 2009’s federal stimulus package. The HITECH Act requires entities covered under HIPAA to report breaches of medical data privacy. “Large breaches” are those which affect over 500 individuals; “small breaches” affect fewer than 500 individuals.  The Office of Civil Rights (OCR) in the US Department of Health and Human Services (HHS) maintains records on reported breaches.

According to OCR, in 2009 more than 2.4 million individuals and in 2010 more than 5.4 million individuals were affected by losses of unsecured protected health information, “as a result of theft, error, or failure to take adequate care of protected health information.” These records reveal the “large” breaches. Since 2009, information on additional smaller breaches has also been recorded and reported to Congress by HHS. This information shows that, cumulatively for 2009 and 2010, there have been over 30,000 of these smaller breaches, affecting over 72,000 individuals.

In the case of the Stanford Hospital and Clinics, the unsecured information was held by an external vendor, a billing contractor named Multi-Specialty Collection Services. As the New York Times reports, the data, in “a detailed spreadsheet” “made its way” from the vendor “to a Web site called Student of Fortune” where it remained online for over a year.

The scope of breaches (and their causes) over a two year period, and the nature of the relationships between protected entities, contract vendors, and individual and the health records illustrate the extent to which our lives are potentially likely to become an open book, with serious consequences. The problem is multidimensional, ranging from data mining and the linkages that can be established between particular bits of data or trails of information, to inferences drawn from and discrimination based on such linkages, to the deflections practiced by government and big business (see, for example, Nothing to Hide, by Daniel Solove, and David Pozen on “mosaic theory”). The implications for our digital selves and our digital reputations are clear.

Privacy protections, in line with concomitant expansions of the security (or surveillance) state, have been in decline since at least the middle of the twentieth century. At the same time, scandals have resulted in an increase in privacy and security rules, enforcement regimes, and limits on use of information. This dialectic resides in a more recent and developing tension resulting from a sort of “critical mass” of government and business surveillance, as well as more active executives that have emerged out of events like September 11 (2001) in the US and July 7 (2005) in the UK.

Health record data losses due to theft, error, or failures of organization policy and security protocols may seem at a glance to be distant from government intrusions, and minor compared with the rhetoric of global terror threats. However, coupled with issues including inadequate vetting of contract relations, corporate misfeasance, and the relatively easily accessible information held by data brokers (such as Acxiom, for example), there seems to me to be obvious implications for larger scale intrusions and violations built up from the mosaic of data bits available in our sociotechnical universes, and the connections that may drawn between them.

 

-asc..

More on Web 2.0 and constitutional movements

As a follow up to our earlier posts about Iceland's experiment with web 2.0 in constitution-making, here is an article that traces out the role of social media in the Arab Spring (specifically in Tunisia and Egypt).  An here is a second article that summarizes that first one, and puts it into the larger debate over the role of social media in contentious politics.  For people interested in that issue, another blog (the Monkey Cage) has begun to collect a bibliography of research on social media and protest, here.

ERD

“Riots” and Constitutional Consequences in England

We’ve all heard about, and perhaps seen footage of, the crisis events that took place in London and other English cities during the second week of August. Some call these events “riots” (see, for example, here, here, and here); others call them insurgencies (see, e.g., here, and many writings in the blogosphere). However we represent these events and those involved, they have provoked some serious constitutional consequences.

First, the criminal justice and judicial responses were rapid, unprecedented, and “wholly disproportionate.” Mass arrests resulted in over 2000 individuals taken into custody, and over 800 of these processed through courts sitting through the night in order to clear dockets (see here and here for statistical and demographic data).

Second, local governments, including Manchester City Council and Wandsworth Council, announced evictions from council housing (i.e. housing subsidized by councils) not only of those arrested as looters or rioters, but of their families as well (see here, here, here, and here; as well as here for one mother’s response to the terrible choice to allow her son to be arrested in lieu of eviction). Additionally, Councils, the press, and politicians at all levels have called for social benefits to be stopped in these cases.

Third, the national political response has been a torrid appeal to authoritarian measures in addition to criminal and judicial sanctions. Following the recall of Parliament from summer holiday (with many parliamentarians apparently returning at public expense), Prime Minister David Cameron deployed new powers to the police to remove the face covers of suspected “rioters.” He also authorized police use of rubber bullets, and the placing on “permanent standby” of water cannon, for use against violent disorder, a solution that has never before been used in London. Somewhat less aggressive measures have also been announced, including the shutdown of social network sites during times of “unrest,” and consideration of expanded curfew powers. (For details see, for example, here, here, and here; and for video of Cameron’s statement in Parliament, see here).

Fourth, the role of the press has been untoward to say the least. Many journalists and outlets have been acting as “agents provacateurs,” , ginning up a vengeful response and vilifying protesters, “rioters,” their families, and those who call for a more moderate and thoughtful response. These actions recall the “moral panics” of the 1970s and 1980s (see bibliographic sourses below). The moral panic, phrased as a “broken society” and as “moral decay,” is the baseline for David Cameron’s analysis of the events and the appropriate political-legal response.

This, then, is what English “justice” looks like in the wake of these events, and for many it does not resemble the comely and reliable common law of English identity. A society accustomed to images of bewigged and careful magistrates reasoning through logic, precedent, and context, is now witnessing what may look very like the lynch mob and summary responses. Circumventions of procedure, in the case of the evictions, and the looming likelihood of a new cohort of evictees being forced into homelessness and destitution are causing some to blanch, even in the political establishment. Conflicts between, on the one hand, the (il)legalities of the judicial and governmental responses; and, on the other, the duties of human rights law, are provoking virulent reaction. Human rights laws are, in fact, being ignored at beast, and assailed at worst, with some politicians, including Cameron, already calling for the repeal of the UK Human Rights Act (1998). All of this is being done in the name of “English freedoms” and the affirmation of “core values.” It seems an anti-heroic and regressive response, at least, and one might wish to remark the absence in the substantial majority of press writings, political rhetoric, and talking points of due consideration of the originary event (the shooting by police of an unarmed young man of color) and of the role played by the history and experiences of poverty, marginalization, and exclusion in England its urban centers.

 

Bibliographic sources:

Cohen, Stanley, 2011. Folk Devils and Moral Panics. Routledge. (originally published in 1972).

Hall, Stuart, et al., 1978. Policing the Crisis. Macmillan.

 

-asc..