[BreachExchange] Computer Breach Could Have Exposed Trauma Victims to Further Anguish

Wed Sep 14 19:11:10 EDT 2016

http://www.nytimes.com/2016/09/14/nyregion/a-computer-
breach-that-could-have-retraumatized-research-subjects.html

Havoc sneaks in so often, we shrug. Data breaches, for instance. Hackers
break into bank computers or Home Depot terminals to steal credit card
numbers, dates of birth, addresses, Social Security numbers.

These are soulless numbers that make up a public identity, but not a
person’s actual self.

Here, though, is a breach with a difference.

For one week in late April and early May, a hacker (or hackers) got into
servers that held information provided by 22,000 people for 11 mental
health studies being done at the New York State Psychiatric Institute.

These were not patients being treated at the institute, but subjects of its
research.

They included, among others, schoolchildren directly exposed to the events
of Sept. 11; Puerto Rican youth; severely emotional disturbed young people
in Westchester County and their caretakers; people in the Bronx suffering
from post-traumatic stress who have family in the criminal justice system;
students at three schools in Queens and four others in Washington Heights,
Manhattan, whose mental health needs were being assessed.

It was a hack with different fingers, infiltrating two servers operated by
the State of New York and plucking out information of varying calibers. For
about 9,000 people, it captured the kind of data that is sold to identity
thieves, like names, addresses and so forth.

But also stored in the servers was what people had to say about trauma, and
how they were tossed about by the many storms of human existence — or
weathered them. This is useful and powerful information for researchers.

Also, possibly, to criminals.

“Medical records are among the most valuable forms of personal information
in the market, and are therefore frequently stolen and heavily trafficked,”
Eben Moglen, a law professor at Columbia and a technologist, said.

In this case, the information stored in the servers was coded and was not
the equivalent of medical records, Dr. David H. Strauss, the director of
research at the institute, said.

“The data wasn’t readily identifiable — there wasn’t a medical record, or
chart notes,” Dr. Strauss said. “All the research data was coded.”

That is, when people were asked questions, the answers were recorded as
numbers keyed to an answer code. The people were also given code numbers.
Their identities and codes were held on a second server. Institute
officials hope and believe that the hackers were not able to
reverse-engineer the identities and codes to link up people with their
answers.

“The health information itself was coded,” Dr. Strauss said. “It would be
meaningless to the attackers.”

Perhaps. What would have made the data far more difficult to read than
simple coding would be encryption, a digital lockbox that is very hard to
pick. It thwarts hackers the same way a house safe can stymie burglars:
They can break in but cannot get away with the valuables. The state
contends that encryption is not practical for active research, though it is
used in many fast-paced businesses.

The state learned of the breach from federal authorities. Dr. Strauss said
that by the time he had heard about it, a state forensic group had isolated
the two servers. “A lot of work went on over the course of the next two
months to identify the extent of the cyberattack, and the ways in which the
data was held,” Dr. Strauss said. The institute notified subjects for whom
it had contact information.

Every year, the employees of the institute, which is affiliated with
Columbia University’s Department of Psychiatry, get privacy training. This
episode made what had been theoretical very concrete, Dr. Strauss said.

“To say that we take it seriously is an understatement,” Dr. Strauss said,
noting that the institute relies on people to voluntarily share information.

For about 13,000 subjects, only birthdays and demographic information were
collected. Why so much about the other 9,000? They were going to be
followed over a period of years, Dr. Strauss said.

The institute is determined to make its data storage more secure, he said.

Who did it, and why?

So far, if answers exist, the state has not made them public.

This seems to be a different, rawer breach than most. But perhaps it is
just a criminalized version of what many of us voluntarily submit to in
daily commerce or by using social media. Our appetites and anxieties trail
behind us, digital breadcrumbs collected by the platforms as the hidden
fees we pay for what look like free services.

“Both the platform companies and we ourselves become active agents in the
creation of conditions which are then exploited by criminals,” Dr. Moglen
said. “But our refusal to take our own and others’ privacy seriously — even
when we have Hippocratic or legal duties to avoid doing harm — enables the
criminality.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160914/b1001be0/attachment.html>