Naughty UCLA employees peek at Britney's medical information

The LA Times is reporting that UCLA Medical Center employees were caught "peeking at" Britney Spears' medical records when she was recently hospitalized in their psychiatric unit.

I wonder if a total lack of privacy might be one of the underlying reasons Britney was admitted to this particular unit?

Charles Ornstein reports:

UCLA Medical Center is taking steps to fire at least 13 employees and has suspended at least six others for snooping in the confidential medical records of pop star Britney Spears during her recent hospitalization in its psychiatric unit, a person familiar with the matter said Friday.

In addition, six physicians face discipline for peeking at her computerized records, the person said.

The article states that this was the second time Britney's records were compromised at the UCLA Medical Center.

UCLA used stronger verbiage when reporting that their computer records were compromised in December of 2006.

As reported at the time by UCLA's Office of Public Relations:

UCLA is alerting approximately 800,000 people that their names and certain personal information are contained in a restricted database that was illegally and fraudulently accessed by a sophisticated computer hacker.

It should be noted that "illegally and fraudulently accessed" and "computer hacker" are stronger terms than "peeking" and "snooping." Maybe this is because the hacker is an outside entity and we can speculate they had a financial motivation when accessing information they weren't supposed to?

As long as we are speculating -- let me bring up another point -- which is there are a lot of people obviously making a lot of money from the Britney Spears saga. Her personal medical details might be worth a lot of money to the people, I'm referring to.

Recently, it was reported that People Magazine paid $4 million for the first pictures of Brad Pitt and Angelia Jolie's baby. Maybe a little privacy was one of the reasons they went to a remote place in Africa to have the baby?

Now I'd better get back to the larger problem, we face from too much information being stored in too many (not very secure) databases.

The problem is that with so many databases out there -- coupled with all the publicly disclosed data breaches -- tracking any one case of a person's information being compromised is nearly impossible.

Just ask anyone, who has actually investigated a case of identity theft. Most of the time, the best that can be done is to speculate where the information was actually compromised.

At this point in the game, a lot of people have been compromised in more than one location.

I would also speculate that there are even a greater number of data breaches out there that no one knows about. My guess is that the people, who steal information, would prefer to remain anonymous. Transparency has never been in the best interest of information thieves.

This brings up another problem that ties into this, or what is known as medical identity theft. While medical identity theft hardly ties into Britney Spears getting her information "peeked at," it has become a huge problem. The tie would be the ease in which naughty employees, with no business looking at it, were able to do so.

In the end, UCLA is a highly respected institution. They do seem to care that this happened and are taking the standard measures to prevent it from happening again. The problem here is that time and time again, it appears that some of these measures don't work very well.

The bottom line is that if things like this can happen at a respected institution of higher learning's medical center, it's probably happening at more places that we realize!

Speaking of this happening at more places than we realize, it was recently reported (3-12-08) that Harvard is one of the latest institutions to be victimized by a data breach.

As long as we rationalize things away by using terms like "peeking," I doubt the problem is going to get fixed in the near future. UCLA is probably only following standard data compromise protocol. Read the press releases after any compromise of data and there is a lot of rationalization and speculation.

This probably means we need to do a little less rationalizing and going beyond mere speculation when addressing what has become a serious issue. This will entail taking a hard look at the core reasons this keeps happening, one of which is, an ever increasing lack of privacy in the world today.

If you would like to see why UCLA isn't the only one who has had a problem with this issue, Attrition.org and PogoWasRight do a great (transparent) job of reporting the known spectrum of the problem.

If you want to read more about medical identity theft, the World Privacy Forum is an excellent resource.

Does anyone really know how much information was lost by TJX?

About a week ago, I saw that the amount of compromised records in the TJX data breach had doubled.

Interestingly enough, the allegation that the amount of compromised records had risen from 45 to 90 million wasn't brought forward by the folks at TJX. This new revelation was reported by the banking industry. They also reported at least $151 million in fraud losses have been associated with the breach.

This isn't the first time in recent history that the estimate of losses has risen dramatically. The Certegy breach jumped from 2.3 to 8.5 million records compromised. The media caught on to this increase as the result of a SEC filing.

Since this was part of ongoing civil case against TJX, the people revealing it have a powerful motivation to prove their point. TJX is still claiming that most of the information stolen was masked (hidden by asterisks), or had expired.

The $151 million in fraud losses startled me slightly since I had only seen one story about the information actually being used reported in the press. I'm referring to 6 people arrested in Florida, who went on a million dollar shopping spree and were later caught.

After doing a Google News Search, I was able to find one more story about a Ukrainian indivdual, who was caught in Turkey trying to sell some of the data.

In the Boston Globe story I read about this, both the card issuers and TJX dodged Ross Kerber's attempts to quantify some of the more recent estimates of loss being made.

I wonder if in data breaches, anyone really knows, or all the parties involved put out whatever version of the facts that suits their own interest in the matter?

The fact that some of the people investigating the TJX debacle have now doubled their estimate of the amount of records compromised lends credence to this theory. Of course, that depends on which version of the story you want to take as gospel.

It's unlikely the hackers (who might know the most accurate figure) will ever admit to it, either. Doing so, would incriminate themselves, and besides that, it probably isn't good for the business they are in. When a data breach is discovered, the fact that they have stolen the information is made public and it is (from their standpoint) compromised.

In fact, from the criminal's perspective (my speculation), the most profitable information they have is data no one knows they've stolen yet. I'd be curious to discover exactly when all this fraud occurred. Did it occur after the breach was made public, or before it?

Perhaps that is why very little of the information from data breaches seems to be used? Quite simply, it probably has little value to the criminal element, once everyone knows it's been compromised.

If you were a identity thief would you want to buy any of the information from the TJX data breach? The bottom line is that it would probably be dangerous to use, and it likely wouldn't even pass muster in most of the payment card authorization systems.

After all -- knowingly using it, would probably make them a statistic -- or one of the less than one-percent of identity thieves that get caught.

There is no doubt that there is a lot of personal and financial information being made available to criminals. Routinely, we see stories where the information is sold (e-commerce style) over the Internet.

The amount of known sources, where data has been stolen has gotten out of hand, also. The Privacy Rights Clearinghouse, Attrition.org and PogoWasRight all are making a valiant attempt to keep records of the known data breaches -- but with the lack of transparency in most of these data breaches -- it's unlikely they are going to be able to document the full scope of the problem,

There are probably many more data breaches out there that go unreported, or the entities who were breached have no idea that they occurred.

Until we start going after the source of the problem (the criminals), the problem of data breaches and identity theft will continue to grow. As we continue to bury our heads in the sand and minimize the problem, the criminals doing this will likely be laughing all the way to the bank!

Boston Globe article about the new statistics in the TJX breach (well-written), here.