Kentucky: Discarded Computer Had Confidential Medical Information
February 7, 2003
A Kentucky Cabinet for Health Services computer that had been discarded for sale as surplus equipment contained confidential files identifying thousands of people with STDs, including HIV, state Auditor Ed Hatchett said Thursday.Adapted from:
Under Kentucky law, the computer, like other surplus equipment, had to be offered for sale first to government agencies and nonprofit organizations, then to the public. Hatchett said the computer was one of eight, selected at random, awaiting sale at the state's surplus property office. He said employees of his office paid $25 apiece for the computers and took them back to the office for testing. The disk yielded several thousand files. "Then we found the HIV/AIDS data. Obviously, that is a huge problem," he said.
"It's a lot of information with lots of names and things like [numbers of] sexual partners of those who are diagnosed with AIDS," Hatchett said. "It's a terrible security breach." Sex partners of the individuals are counted but not named, said B.J. Bellamy, chief information officer for the auditor's office.
Health Services Secretary Marcia Morgan said the computer came from an agency in her cabinet that deals with counseling on STDs and HIV. The computer was used from 1995 to 1999. Its hard drive was believed to have been wiped clean when it was shipped as surplus late last year, Morgan said. She said she has ordered an internal investigation to determine how the lapse occurred and how a recurrence could be prevented.
Morgan said the computer was never out of state custody, and the ability to retrieve its information depended on the sophistication of the person using it. Nor was it the AIDS database that the agency is required to maintain for federal reporting purposes, according to the agency. That database lists AIDS patients by a code, not by name.
Hatchett's office on Wednesday sent an alert to state and local government offices that said surplus computers must be wiped clean with software designed for that purpose. "Deleting data or reformatting disks is not sufficient," the advisory said. On Thursday morning, the Governor's Office of Technology issued a government-wide policy on proper sanitizing of surplus state equipment.
02.07.03; Charles Wolfe
This article was provided by CDC National Prevention Information Network. It is a part of the publication CDC HIV/Hepatitis/STD/TB Prevention News Update.