Thursday, October 25, 2012
Department of Health data breach places unfair burden on those most vulnerable
by Larry Geller
In Hawaii, with the cutbacks that have taken place in adult mental health services, the clubhouse system is often the only point of service delivery for those receiving services from the Adult Mental Health Division.
Today the DOH announced that on September 25, 2012, exactly one month ago, there appears to have been a data breach releasing personal information of mental health consumers. According to the DOH press release dated today:
Approximately 600 former and registered members of the Waipahu Aloha Clubhouse are being notified by mail of the possible security breach.
In one month it is possible for identity thieves to act over and over. Today’s press release raises the obvious question: why the delay? I have emailed DOH to learn more.
Further from the press release:
“We very much regret that this incident occurred and the impact it may have on our Waipahu Clubhouse members,” said Dr. Bill Sheehan, Chief of the Adult Mental Health Division.
All Waipahu Aloha Clubhouse members are advised to place a fraud alert on their credit files and notify the police if they find any suspicious credit activity.
Dr. Sheehan is a medical doctor and should be concerned “to do no harm,” yet he is placing the burden of guarding against credit fraud on
adults living with severe and persistent mental illness
who were or are receiving services from his division of DOH.
In the case of the University of Hawaii data breaches, it took a lawsuit to get the University to do the right thing and provide credit monitoring services free of charge to those affected. The settlement in that case required students affected to sign up for services. For this population group, it would be reasonable to not only provide free services, but to provide assistance in signing up to be sure that the services are in place.
I’ve asked DOH if free credit monitoring services will be provided.
A secondary question, of course, is how well DOH is protecting personal information on all its computers, and in particular, why unencrypted data was exposed on a machine connected to the Internet, if that’s how the data breach took place. The DOH press release confirms that the computer was believed to have been remotely accessed.
Oh boy. This is gonna have tremendous consequences. What needs to be done sooner than later is a forensic tech investigation to trace back to the thief.
These folksʻ ssi checks and everything else could get jammed up and if they figure out who to ask for help in the nightmare of bureaucracy, and the run around theyʻre going to get ....this is pretty terrible.
Larry, the people in question are almost entirely Severly Disabled Mentally Ill (SDMI) adults (overwhelmingly schizophrenic), 99% of whom live in care homes. I don't believe it is very likely that any have "credit records" they can check. Hell, I'm a former AMHD employee, and I have NEVER been able to figure out how to use those websites that supposedly tell you your credit rating -- they all want $$ before providing any info (especially the "FREE" services).
The University of Hawaii provided identity theft monitoring services without charge to those affected by their data breach. They could apply by phone or web, and the service was not one of the questionable "free" services. AMHD clients should be given assistance in applying.
Anyone can be taken advantage of via identity theft. That the DOH allowed their data to be exposed on the Internet should be investigated and procedures put in place to prevent similar data breaches in the future. In the meantime, providing a monitoring service is the least they can do under the circmustances.
Links to this post: