Medical records left on Internet

But after they were viewed by unauthorized people this week, the hospital quickly shut off access.

"Luckily, we were notified and able to stop it this time before real damage was done," medical center spokesperson Dave Wilkins told The Ann Arbor News yesterday. "Still, on all fronts, we're taking it very seriously.''

The problem was discovered Monday after a University student searching for information about a University doctor on the medical center's Website was linked to files containing private patient records.

The records contained names, addresses, phone numbers, Social Security numbers, employment status, treatments for specific medical conditions and other data, the paper reported. The information was used to schedule appointments and didn't include more detailed medical information, Wilkins said.

He said "several thousand" records were available for two months. But nobody accessed the records until Monday, he said.

Two people dialed in two times each, then two reporters called in, for a total of six hits by 1:30 p.m. One of the reporters then notified the medical center, which shut off access by 2 p.m., Wilkins said.

Joe Kryza, director of operations for medical center information technology, said scanning tools detect potential hackers and the problem eventually would have been caught.

Medical center officials are determining whether the breach warrants notifying the patients involved, Wilkins said.

The posting on the Web came as a surprise to Cary Johnson, whose 2-year-old son's record was one of those exposed.

"I'm certainly not happy about it," said Johnson, who is a nurse at the medical center. "I guess technology is helping us to do some things and hurting us in other ways.''

Johnson told the paper she was already concerned about the privacy of information after someone used her bank card number to charge $700 to her checking account just before Christmas. "These things didn't happen 20 years ago.''

02-12-99