ChartOne, 3,851 SSNs+Medical Records, System Administrator

On Aug. 1, UF was notified that a computer was stolen from ChartOne, a Boston-based firm that the Health Science Center contracts with to help manage medical records. In the laptop’s database were the names, Social Security numbers, dates of birth and medical record numbers for more than 3,000 patients spread over a wide area.

According to [UF Privacy officer] Blair, the problem began in late July, when a ChartOne employee in Gainesville reported trouble with a laptop computer. The company decided to send a new laptop by United Parcel Service, and loaded it with the information from the patient database before it was shipped.

On the bright side, the systems administrator didn’t load all of ChartOne’s customers on there.
From Missing laptop impacts patients of UF physicians in

In a letter to affected patients dated Aug. 8, UF Privacy Officer Susan Blair wrote, “Although the risk for anyone gaining access to and then using this information is low, reports of identity theft are often in the news.”

I read that and am stunned. Anyone who boots the computer before selling it will find this data. Will that be found by a practitioner of America’s fastest growing crime? Will someone decide to experiment, or just read 3800 medical histories?

There’s a database, which is protected (at best) by a Windows password. There’s probably an icon on the desktop, or at the top of the start menu labelled “ChartOne Medical database.” Proposed laws give companies the power to make bad, media-driven risk assessments like this, and then decide to lie by ommission.

In other encouraging news it seems that “ChartOne Automates Medical Record Requests for the U.S. Social Security Administration” (Press release, PDF).

[Finally, I meant to add that had this involved more people, it would have the potential to be a Choicepoint- or Cardsystems-scale issue. The third-party nature of the data loss by a company that patients have never heard of, combined with the nature of the data, would have turned this into a firestorm.]

Enforcement and Incentives

In “Getting Serious about Smog,” Virginia Postrel writes:

After many years of bureaucratic resistance, California is finally getting serious about air pollution from cars. These days, most cars don’t spew much pollution. But the few that do, account for a lot, and many of them still manage to pass state inspection. Now, the LAT reports, the state is rolling out a serious program to measure tailpipe emissions of cars actually on the road:

In the largest experiment of its kind in California, the South Coast Air Quality Management District plans to use remote sensors and video cameras to measure air pollution from 1 million vehicles as they enter freeways and navigate roads in the counties of Los Angeles, Orange, San Bernardino and Riverside.

If caught, the owners of the most environmentally offensive cars and trucks would receive letters informing them that the government would pay to fix or scrap their vehicles. The South Coast district estimates that 10,000 to 20,000 of the dirtiest vehicles would be detected. Smog regulators lack the authority to order drivers to dump dirty cars, but they can offer incentives…

So, if they can offer incentives, why don’t they? Why are they building a surveillance infrastructure that will monitor all cars, and be “repurposed to fight terrorism” within a few years? (If you think that’s a good idea, fine, we can discuss. But this will turn out to be a bait and switch.)

There’s a tendency amongst government agencies to tend towards the draconian solution, even when offering incentives might be cheaper, more efficient, and more freedom-loving. To catch 20,000 cars, they’re going to be monitoring 980,000 others. Why not take the money to do that monitoring, to do the roadside analysis, etc, and spend it to advertise that the state will buy your car for more than market rates?

WiKID Goes Open Source

WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user’s head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client’s and the user’s PIN. When the user wants to login to a service, they start the client and enter their PIN, which is encrypted and sent to the server. If the PIN is correct, the account active and the encryption valid, the user is sent a one-time passcode to use instead of a static password.

Yesterday, they announced that they’ve open sourced their system. I really like the WiKID system, which transforms your mobile phone into an authentication device. Making it GPL allows anyone to use it.

One fascinating aspect is that the system as originally built took advantage of the (patented, proprietary) NTRU algorithms for speed. Because those are not WiKID’s to open, they’ve replaced them with RSA. But you can use a full version of the system under GPL to test, experiment or deploy to a userbase that’s ok with authentication taking a few seconds, and add a commercial license if you need it to be faster.

I encourage folks to check it out.

“Preserving the Internet Channel Against Phishers”

I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel Against Phishers,” and is designed to be shared with marketing folks without insulting them.

Alternate title: “Don’t title your blog posts like a stupid person.”

Speaking of Hot Knives, Butter

It seems that Zylon “bulletproof” vests are not nearly as effective as Kevlar ones, and the Justice department may pull funding for purchasing them. (All the press releases and reports are at the DOJ site.) They are, however, more effective than not wearing a vest.

I am routinely outraged here by poor technology decisions that apply to the public. Let me be clear that this is equally outrageous. People working in the public interest (including cops and firefighters) deserve to have great, well-tested, effective safety gear. I don’t know if the breakdown here is the same sort of breakdown that leads to things like CAPPS or zippo-banning. But I suspect they’re related, and maybe there’s common cause to be made there between libertarians and police?

See also the New York Times, “A Common Police Vest Fails the Bulletproof Test.”

(As an aside, one of the problems with blog display formats is that you read my latest writings first, where logically, this should come after the Robertson Lies post, so that the title makes sense.)

Robertson Lies In Apology

The dominant headline around Robertson’s attempt to retract his comments is that he “apologized.” That is false. He claimed to have not called for an assassination: “I said our special forces could take him out. Take him out could be a number of things including kidnapping.” Mark, at Cutting Edge of Ecstasy takes out goes through Roberston’s statements like a hot knife through butter in “Is This A Spokesman For The Real Religion Of Peace?” Read it.

Small Bits: Alex Haislip, Chinese Censorship, TSA Xrays

  • Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there’s so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. 😉

  • Curt Hopkins points to a fascinating story about the folks who run the great firewall of China, translated from Chinese. I was going to comment on it, but Rebecca MacKinnon comes along and says not only what I was thinking, but a whole lot more, and more insightfully:

    But as with many Chinese news stories, the conclusion is less interesting than the debate raging within the body of the article. And what the article reveals is that there is a lot of pushing back and forth amongst the various players when it comes to the future of Chinese cyberspace. Internet entrepreneurs like the CEO of Fang Xingdong come out against proposals that Chinese internet users must register their real idenities at all times. The internet portal sites conducted surveys showing that their customers (not surprisingly) favor online anonymity…

  • Bruce Schneier points to new research that may obviate any justification for the TSA to look through your clothes:

    Here’s a piece of interesting research out of Ohio State: it’s a passive sensor that could be cheaper, better, and less intrusive than technologies like backscatter X-rays:

    “Unlike X-ray machines or radar instruments, the sensor doesn’t have to generate a signal to detect objects ¬ it spots them based on how brightly they reflect the natural radiation that is all around us every day.”

    “It’s basically just a really bad tunnel diode,” he explained. “I thought, heck, we can make a bad diode! We made lots of them back when we were figuring out how to make good ones.”

No Child Left Untagged

CSO’s Security Feed has a story “RFID Technology Prevents Infant Abduction.” The story reads like a press release:

VeriChip Corporation, a subsidiary of Applied Digital (ADSX), a provider of security and identification technology, stated that its “Hugs” RFID infant protection system prevented the abduction of a baby at Presbyterian Hospital in Charlotte, North Carolina. A BioTechWeek article on reported that the Hugs system alarm went off when the infant was removed from the nursery and the staff and security personnel responded quickly to recover the baby, returning him to safety in the maternity ward. The Hugs Infant Protection System has a tiny radio transmitter that is worn on the baby’s wrist or ankle. Exit points throughout the hospital are electronically monitored to detect unauthorized removal of an infant. In the last 22 years, there have been 233 infant abductions in the United States, half of which occurred from healthcare facilities.

So, doing a little digging, it seems the ‘abductors’ were Walter Mitchell and Juanita Slade, the baby’s parents. Mitchell and Slade’s other children are wards of the state because of drug issues. However, they cared enough about their child to bring him to a hospital for a checkup after he was born. Now the press is touting this as an “abduction.”

I have very mixed feelings about all of this. Most child abductions in the US are custody battles. I know a fair number of smart, well-adjusted, successful people with “alternative” lifestyles who are terrified of DSS and their ilk. (See Fight CPS, Child “Protection?”, or AFRA Horror Stories for more.) The story above could have been written “Modern technology used to keep families apart.”

From the “Who Will Rid Me Of This Meddlesome Priest” Department…

Television evangelist Pat Robertson told viewers the U.S. should kill Venezuelan President Hugo Chavez to prevent the Latin American country from becoming a “launching pad” for extremism, the Associated Press said.

From Bloomberg. Ezra Klein has comments in It Was The Christian Thing To Do. Apparently, Venezuela is upset.

Thanks to Nick for distracting me from useful work. [Formerly titled “Today’s Blog Is All About Being Speechless.” Link to Ezra corrected, thanks Allan!]

Caption Contest

I took this picture of a sign, lying on its side, near gate A12 of the Atlanta airport on August 16th, 2005. The photo is what I saw; it has not been retouched. It needs a caption, and I am simply flabbergasted.