As far as personal information goes, medical documents are perhaps among the most important–and also the most closely-held–due to privacy concerns.
When legislators push for compulsory public databases of highly sensitive information, as Colorado did this year with HB10-1330 “All-Payer Database,” the threat of information being disseminated to unknown parties, subject to hacking, or even accidental “leaks” is of grave concern:
What the Bill Does: Gives the Executive Director of Health Care Policy and Financing the power to create a database to collect and store unlimited information on everyone who provides or receives health care in Colorado whether or not the state pays for that health care and whether or not the transaction is a private one.
How the Bill Endangers Colorado Citizens:
1. Because it enables the creation of dossiers on citizens, the bill transfers too much power to state government
2. The metrics discussed in the bill do not exist. The use of poor substitutes will likely increase health care costs and degrade health care outcomes
3. The bill funds the database with money from undisclosed sources with undisclosed agendas that may not be in the best interests of Colorado citizens
4. There is no known way to secure the private information that the state proposes to collect.
5. There is no guarantee that the Commission appointed to study the database issues will have the expertise needed to accurately ascertain its consequences.
Such concerns and unanswered questions are usually downplayed, as they were with HB10-1330.
The bill’s sponsors were confident that there would be no privacy issues:
The legislation raises privacy concerns, however, says Devon Herrick, a senior policy analyst with the National Center for Policy Analysis, a Dallas, Texas-based think tank.
“House Bill 10-1330 raises privacy and security concerns. Not only will the state government intrude in a private transaction between patients and their physicians; it will also have to safeguard the data from abuse or theft,” Herrick said.
“I’m aware of these concerns. I’m confident we can, like other states that have implemented such plans, completely protect our citizens’ privacy,” said Kagan.
Except they probably can’t, as a December report of a recent audit (February-November 2010) of the state’s various agencies revealed that 60 percent have not even submitted a security plan, and more than 40 cyber “incidents” have been documented since 2006–and this may not include all of the “accidents” and other breaches that have gone unreported:
The state’s computer systems are at “high risk” of online attack, and a cyber security firm hired to secretly hack into agencies’ systems easily gained access to thousands of documents containing Coloradans’ sensitive personal information, an audit released today revealed.
“We conducted a penetration test of public agencies and found significant vulnerabilities throughout state government that allowed the assessment team to compromise thousands of records containing individuals’ confidential information, such as social security numbers, birth dates, and income levels,” auditors reported. “The assessment team also compromised several state networks and systems and identified hundreds of vulnerabilities in state systems.
Many of the state’s cyber security officials–chief information officers charged with protecting critical data–are “concerned,” even as a report from Mesa County reveals that vital information was available, accidentally, for seven months.