Computer hackers access 7,000 patient files

The break-in at the Indiana University School of Medicine should serve as a wake-up call to adequately protect patient information against possible identity theft.

By Tyler Chin, AMNews staff. March 24/31, 2003.

Are medical files such a compelling read that hackers would want to target your computers?

That's the question raised by a computer break-in at Indiana University School of Medicine in Indianapolis.

On Feb. 28, the school announced that hackers had gained unauthorized access to one computer at the university's Center for Sleep Disorders that had the names, addresses, Social Security numbers and dates of birth of about 7,000 patients.

The hackers did not have access to patients' medical records, but had access to why patients were being seen at the center, said Mary Hardin, a spokeswoman for the medical school.

In a letter dated Feb. 12, the university told patients it had no way of knowing whether the hackers had downloaded, printed or misused their data to steal their identities. As a precaution, it asked them to carefully review their credit card and financial statements. As of March 6, Indiana University had not received any reports of identity theft, Hardin said.

The break-in, and the fact that health information wasn't touched, raises the question of what computer hackers are really after -- medical records or personal information. Some health care information security experts believe the latter is more likely, because those data are more valuable than data in medical records.

"Say a hacker finds out I have trouble sleeping at night. So what? What will they do with that information? There's no market for it," said Tom Walsh, senior consultant with the e-security practice of CTG Health Care Solutions, Cincinnati.