By Jordan Robertson
AP Technology Writer
Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see.
There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.
At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized.
Electronic records can lower costs, cut bureaucracy and ultimately save lives. The government is offering bonuses to early adopters and threatening penalties and cuts in payments to medical providers who refuse to change.
But there are not-so-hidden costs with modernization.
"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."
Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.
The personal data was discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht's firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.
The data were "available to anyone in the world with half a brain and access to Google," Titus says.
Titus says Hecht's company failed to use two basic techniques that could have protected the data — requiring a password and instructing search engines not to index the pages. He called the breach "likely a case of felony stupidity."
One of the patients affected was Paul Thompson, who learned of the breach from Titus.
The Sugarloaf, Calif., electrician blew out his shoulder four years ago on a job wiring up a multiplex movie theater. His insurance company denied his claim, which led to a protracted dispute. He eventually settled.
Thompson says his injury has been a "long, painful road."
Unable to afford surgery in the U.S. to fix his torn rotator cuff, he paid a medical tourism company that was supposed to schedule a cheaper procedure in Costa Rica. The company went bankrupt, however, and Thompson said he lost nearly $7,300.
To have his personal information exposed on top of that was a final indignity.
"I'm totally disgusted about everything," he said, calling the breach "another kick in the stomach."
Thomson is worried that hackers may have spotted his information online and tagged him for future financial scams. He contacted his bank and set up a fraud alert with the credit reporting agencies.
He says the prospect of all health records going electronic — which federal law mandates should happen by 2014 — "scares the living hell out of me."
When mistakes occur, the fallout can be more severe than the typical breach of email addresses or credit card numbers.
The rest of the story can be read here.