As the federal government continues to wage the war on terror, electronic medical records could be fair game
Is the government looking for terrorists in Americans’ electronic medical records?
Admittedly, it’s an astonishing question, but for many months, this year and last, Congress was roiled in a contentious debate over the legality of a government electronic surveillance program in which, allegedly, the fiber-optic backbone of our nation’s telecommunications system was tapped as part of the war on terror.
Millions of medical records move over those fiber-optic lines, which sparked an interest in the implications of the war on terror for the privacy of those records. But tapping fiber-optic cables isn’t the only possible way for government intelligence services to access Americans’ private health information.
Opinions vary on the likelihood that the government is looking for terrorists in medical records. Some who have been interviewed for this story say flat out, “no way”; others, however, say they suspect the war on terror is being used as a cover for the mutual interests of the government, the healthcare data-mining industry and the fast-growing “surveillance industrial complex” to gain access to records that previously have been off-limits to them.
Such possible examples include: The medical records of a former university student were handed over to federal agents several years ago as part of an anti-terrorism initiative.
A victim of identity theft through a breach of medical records—the first healthcare privacy prosecution brought under the criminal penalty provisions of the Health Insurance Portability and Accountability Act—said that he had to investigate his own case to embarrass the government into prosecuting the culprit.
A massive, $711 million computerized data surveillance program specifically targeted medical data among other electronic “transactions” in hopes of identifying terrorists before they strike.
Related story: A controversial lawyer, HIPAA and the debate over patient privacy
Related story: The tortuous path of the HIPAA privacy provision
Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society, says she’s heard plenty of talk about the government spying on American’s medical records, just not from IT people.
“I do have conversations with (chief information officers) and they do have conversations about breaches,” Gallagher says. “And I do keep that confidential. But I do not hear anyone talking about that in the context of risk from the government, except the privacy advocates.”
Similarly, privacy and national security expert James Dempsey, vice president for public policy at the Center for Democracy & Technology, says, “I don’t know of anybody in the U.S. government who has any interest in analyzing medical records except for syndromic surveillance,” which uses health-related data to determine if a public health response is needed. The center is a Washington-based not-for-profit that advocates on patient privacy and constitutional liberties issues in a digital era.
Healthcare privacy advocates see the question of government intent less benignly. Twila Brase, president of the Citizens’ Council on Health Care, a patient-privacy organization in St. Paul, Minn., is one who believes the government is using the war on terror as a cover.
“They’ll build this huge system on the back of national security whether they need it or (if) it will work,” Brase says. “Who benefits? The whole data industry benefits. The health plans benefit, because they can use the data that they collect on all these individuals because they can create treatment directives and limit service to individuals and have all of these scientific bases behind it. Only no one can get access to the data behind it.”
The Department of Homeland Security funds the National Biosurveillance Integration System, which is the overarching program of the type Dempsey mentions. It monitors medical records and “integrates biosurveillance data and information on biological incidents to enhance situational awareness” in the event of a bioterrorism attack. The system plans to incorporate data from 20 to 40 federal and commercial databases, with health information funneled though the Centers for Disease Control and Prevention. Personal medical information is to be supplied by the Veterans Health Administration at the Veterans Affairs Department; the Military Health Service; Tricare, the health plan for the Defense Department; and a host of civilian local and regional public health agencies, according to David Siegrist, a senior research fellow at the Potomac Institute for Policy Studies, a think tank for science, technology and national security policy.
A couple of the component parts of that biosurveillance system stem from a Defense Department research agency where a separate, controversial national surveillance program also was being developed. That program, initially called Total Information Awareness, later called Terrorism Information Awareness, or TIA, did specifically target medical records, according to government documents.
The sweep of the TIA, developed under the Information Awareness Office at the Defense Department, stirred such controversy that Congress cut its funding in 2003. However, some parts, if not all, of TIA were allowed to survive, according to multiple reports.
Nevertheless, Dempsey dismisses the targeting of medical records by the TIA as an aberration. Aside from bioterrorism surveillance, he says he sees no other national security interest in medical records.
“It’s not where one would look for a terrorist,” he says. “Compared to travel records, financial, immigration and communications—medical records are just not useful. Doctors sending records to Blue Cross Blue Shield is just not of any interest to the counterterrorism” community.
The records that insurance carriers keep on individuals, however, proved to be of significant interest to the Homeland Security Department. In 2003, Blue Cross and Blue Shield of Michigan and Aetna searched their databases containing the records of a combined.
19 million people for possible matches to names, addresses and other identifiers on the department’s anti-terrorism watch list, according to several news reports, including a Nov. 16, 2003, front-page story by Amy Lee in the Detroit News.
The medical records of a former North Carolina college student were handed over to the FBI in a 2005 terrorist search, according to a Washington Post
article written Nov. 6 of that year.
Brase, the Minnesota healthcare privacy activist, says that there are a number of ways the government has access to medical records, through existing exceptions in HIPAA, and through changes in multiple federal laws in the wake of the Sept. 11, 2001 terrorist attacks on the World Trade Center and the Pentagon.
“As long as they call themselves public health, they can get medical data,” Brase says. The Federal Aviation Administration “announced a couple of years ago; they said that they would be considered a public health entity so they could ask for public health data and get it under HIPAA. What used to be called (under HIPAA) national priority purposes, law enforcement and national security, either of those two could be used to make the request.”
Since the Sept. 11 attacks, Brase says, she has seen policies that the state Health Department or HHS “wants passed, I see there is this national security (rationale) tacked on to it. I saw a little bit of it right after 9/11 and I think it’s growing. And HIPAA makes it easy for them to say yes, so they essentially are an arm of this whole network of surveillance that the government is planning to create around the country. They’ll say they’re going to use it for quality and a whole lot of good purposes, but I think surveillance is a good part of it.”
San Diego businessman Eric Drew says he has no trouble believing the government is snooping around in healthcare records, although he says he has no personal knowledge of anyone claiming to be a victim of government scrutiny of their medical information. His suspicion is rooted in bitter experience.
Drew was a patient at the Seattle Cancer Care Alliance in late 2003 when a hospital worker used his medical records to obtain enough information to steal Drew’s identity and go on a shopping spree. Richard Gibson, a phlebotomist, was that worker and became the first person to be convicted of a criminal violation of the HIPAA privacy law.
Drew says that federal prosecutors have been the focus of “a lot of political pressure” by lobbyists representing various healthcare industry groups, including insurance companies, hospitals and physicians, to relax privacy enforcement. But, in Drew’s view, the pressure doesn’t end there. “The exemption of the health insurance industry for any sort of liability for privacy violations is one piece in the puzzle you’re pursuing,” he says. “They don’t want HIPAA enforced, because it will open up to the world that nothing is being enforced. The government is taking away any private right of action against any of these entities; meanwhile, the Central Intelligence Agency and the FBI can tap into any record they want. It is a part of a bigger plan to integrate American identities into a larger identification system.”
In 1976, in the wake of the Watergate scandal in which former agents of the FBI and CIA were caught planting audio surveillance devices at the Democratic National Committee headquarters, the Senate impaneled a special committee to look into illegal surveillance activities by our federal law enforcement and national intelligence services. Known informally as the Church Committee for its chairman, Sen. Frank Church, an Idaho Democrat, the panel
uncovered abusive surveillance practices targeting hundreds of thousands of Americans that had been carried out for decades by the FBI, CIA and the National Security Agency, among others.
As a result, Congress sought to create a bright line separating surveillance for foreign intelligence from surveillance for domestic law enforcement. To that end, in 1978 Congress passed the Foreign Intelligence Surveillance Act, or FISA. It put domestic intelligence and anti-terrorism efforts—and the issuance of warrants to carry out wiretapping and records searches for them—under the supervision of a newly constituted Foreign Intelligence Surveillance Court. Since 9/11, however, that bright line has been blurred.
Several major American telecommunications companies face legal threats from a reported 40 or so class-action lawsuits that seek to hold the companies accountable for their roles in the government’s warrantless wiretapping program that may predate the 9/11 attacks. The lawsuits allege the telecoms allowed the government to tap into the fiber-optic spine of the nation’s domestic and international communications network and spy on the phone calls, e-mails and other electronic communications, not only of potential terrorists but also of everyday Americans. If true, the lawsuits contend, the fiber-optic “wiretapping” would violate federal law and the First and Fourth amendments of the Constitution. Some telecoms have denied the allegations; others say they are bound by national security requirements and cannot talk about them.
In July, with the passage of the FISA Amendments Act of 2008, Congress gave the telecoms—and also any public provider of computer storage or computer processing services that cooperated with the national security services after 9/11—retroactive immunity from civil lawsuits.
On Sept. 12 of this year, lawyers for AT&T and the not-for-profit civil liberties and privacy advocacy group Electronic Frontier Foundation met in a federal court in San Francisco in a status hearing on Hepting v. AT&T. The class-action lawsuit, filed in 2006, accuses AT&T of violating the First and Fourth amendments of the Constitution, multiple federal laws and one California law by “collaborating with the National Security Agency in a massive warrantless surveillance program that illegally tracks the domestic and foreign communications and communication records of millions of Americans.”
On Sept. 18, the foundation “opened a second front,” filing another suit, Jewel v. NSA, this time against the spy agency itself as well as President Bush; Vice President Dick Cheney; Cheney’s chief of staff, David Addington; and former Attorney General and Chief White House Counsel Alberto Gonzales, alleging on behalf of AT&T customers that they ordered and are still conducting “dragnet surveillance of millions of ordinary Americans.”
Barry Steinhardt, director of the American Civil Liberties Union’s technology and liberty program, says he has no way of knowing whether individuals’ electronic medical records have been accessed under the government’s warrantless wiretapping program, but the potential is there. The ACLU also has a lawsuit pending challenging the constitutionality of the government’s surveillance program.
“To what extent this involves medical records, I couldn’t tell you, or if anybody knows outside of the intelligence community,” Steinhardt says. “But plainly, if the data is communicated through the Internet and (telecommunications company) switches, they are subject to interceptions.”
Of course, there is cryptography, and when it comes to tapping fast-moving encrypted data like medical records, the NSA may have met its match with modern encryption, at least when it comes to a “brute force” computerized attack on the code, says Phil Zimmermann of Palo Alto, Calif., a cryptographer who created the open-source e-mail encryption software Pretty Good Privacy in 1991.
If done right, 128-bit encryption, which is in common use in healthcare, is “out of reach of all the computers in the world,” Zimmermann says. “However, there are lots of ways to do this wrong. Just encryption alone isn’t enough if you don’t have the right policies, because someone could just walk in from the government and say: Hand over the keys.”
Michael McMillan is chief executive officer of CynergisTek, Austin, Texas, a security consulting firm where for the past eight years he has specialized in hospital information technology. A former Marine, McMillan says he served a portion of his 20-year military career in intelligence work.
Even though HIPAA security rules do not mandate the use of encryption technology, McMillan says most, but not all, of the hospitals he knows “are very diligent” about using encryption to move e-mails and sensitive patient data over the Internet.
“I don’t know what they’d get without the cooperation of people sending and receiving,” he says. In other words, healthcare providers would have to be cooperating with intelligence agencies for them to read their encrypted communications, a prospect he says he finds unfathomable. But unlike Zimmermann, McMillian isn’t ready to completely discount the code-cracking capabilities of his former intelligence community colleagues.
“I’ve always operated under the presumption that anything man can do, man can undo. It would take a tremendous amount of horsepower and a lot of dedication to do that. I just find it hard to believe that kind of effort could go on without the appropriate oversight” from Congress, McMillan says. “It’s one thing to try to tap a phone conversation and it’s another thing just harvesting medical data. If folks got a hold of that, they’d say: Are you out of your mind?”
Even so, traffic on the Internet carries a lot of medical information between people and healthcare information sources that lawmakers who crafted HIPAA never contemplated, much of which is not encrypted. A combination of queries using general or medically oriented search engines seeking diagnosis or treatment options for a sexually transmitted disease, for example, could lead to an inference that might embarrass or financially stigmatize someone if that information fell into the wrong hands. Search results pointing to the Internet address of a Web page of an oncologist, psychiatrist or a drug treatment clinic could yield the same result for a potential patient. All of these Internet communications could be captured by wholesale wiretapping.
A more likely way for the government intelligence services to solve the encryption problem would be, as Zimmermann and other experts suggest, to gain access to stationary medical records in data storage systems. That could be done either through a request, a legal demand and/or a long-term contract with large aggregators of healthcare data, such as data miners and payers, and, perhaps, with connections to new networked systems, such as health information exchange organizations. Instead of breaking down the locked doors by cracking code, the government could—as it did with the telecoms—simply use the keys.
The HIPAA privacy rule, since its inception in 2000, always has afforded “covered entities”—as defined in the law, providers, payers and claims clearinghouses—multiple exceptions from its requirements to otherwise keep medical records private. One of those original HIPAA exceptions permits covered entities to release patient-identifiable medical records “to authorized federal officials for the conduct of lawful intelligence, counterintelligence and national security activities.” Thus, HIPAA relies on the requesting government agencies to act within the law. HIPAA also says an individual has no right to an accounting whether his or her healthcare information has been handed over “for national security or intelligence purposes.”
Shortly after the Sept. 11 terrorist attacks, Congress took just four days to push through the USA Patriot Act, which Bush signed into law on Oct. 26. The sweeping new law broadened the reach of the government to obtain personal information on individuals, including medical records. The law also required that persons who have been ordered to disclose records for national security reasons keep those requests secret, even from the person or persons whose records were handed over to the government. Section 215 of the Patriot Act even allows government agents to demand access to medical records of foreign citizens stored by foreign subsidiaries of U.S. companies. That revelation horrified Canadians and caused the provincial government of British Columbia to pass four privacy laws to govern cross-border data transfers, and led to the redrafting of a government healthcare IT outsourcing contract.
“There is this extraterritorial reach of (Section) 215 orders,” says Mary Carlson, executive director of the Office of the Information and Privacy Commissioner of British Columbia. “Even if the company headquarters is in the U.S. and the database is in Canada, they can reach across the border and grab it and no one would know.”
Section 215 “permits the security services in the U.S. to request copies of anything—documents and databases—and the person served must comply, under penalty of going to prison,” Carlson says. “Secondly, they can’t tell anybody (that the records have been searched) under penalty of going to prison.”
In March 2007, Glenn Fine, head of the Justice Department’s inspector general’s office, delivered to Congress two reports totaling 310 pages detailing the performance of the FBI using orders
approved by the FISA court under Section 215 of the Patriot Act, and national security letters, or NSLs, issued by the FBI without court oversight under Section 505 of the act.
According to Dempsey, in 2004 the definition of a “financial institution” in the Right to Financial Privacy Act of 1978 was amended by Congress with passage of the Intelligence Authorization Act (of 2004) to include insurance companies, making their records subject to Section 505 national security letter requests without court oversight or approval.
Again, in addition to insurance information, the FBI also has access using warrantless NSLs to perform Internet searches for medical information and bank and credit card records of patient encounters with doctors and hospitals. Once obtained via an NSL, information gleaned is routinely stored in one or more FBI databases, according to Fine’s report. One of those databases is accessible to 34,000 users, including 5,000 users in organizations outside the FBI.
The inspector general’s report also cited a Nov. 6, 2005 news story
in the Washington Post
about the FBI’s questionable attempt to use a national security letter to obtain health and other records of a former North Carolina State University student to determine whether he was involved in the July 2005 London subway and bus bombings. The former student was later cleared of suspicion, according to the story.
David Drooz is the senior associate general counsel at the university in Raleigh. According to the Washington Post,
Drooz stood his ground against the FBI’s initial NSL demand, but ended up handing over the student’s records when the FBI came back with a subpoena.
Drooz would not comment on the specifics of the case, but in an e-mail he advises healthcare organization officials, “if there is any request or demand for medical records, then the custodian of those records should examine the legal authority underlying the request and determine if it is a valid override of privacy requirements. This applies to national security letters as well as any other types of demands,” Drooz says. It is a reminder that the HIPAA exemption that allows covered organizations to disclose protected medical records to officials for national security purposes applies only to lawful requests.
In 2002, medical records were targeted for inclusion in the controversial and sweeping Defense Department terrorist identification project with a $711 million budget called Total Information Awareness, and later, Terrorism Information Awareness, according to government and private sector reports. The Office of the Director of National Intelligence, which oversees all 16 agencies and departments in the intelligence community, including the CIA and the Homeland Security Department, did not respond to requests to provide someone to be interviewed for this story.
In January 2002, the Defense Department created the Information Awareness Office within the department’s Advanced Research Projects Agency, the vaunted military research and development agency that birthed ARPAnet, a precursor to today’s Internet.
The Information Awareness Office, which oversaw the TIA development program, was headed by retired Navy Rear Adm. John Poindexter, who was convicted in 1990 on multiple felony counts for his role in the Iran-Contra affair. His conviction was overturned on appeal.
Initially, all systems were go for TIA. A host of well-known defense and IT contractors and consultants, including several with healthcare operations such as Lockheed Martin Corp., Booz Allen Hamilton and Science Applications International Corp., applied for and received TIA contracts, according to documents obtained under the Freedom of Information Act by the Electronic Privacy Information Center, a civil liberties and privacy advocacy not-for-profit group. But following a public uproar about privacy issues, Congress stripped the funding for the TIA program in late 2003. Still, the legislation that “de-funded” TIA also included a secret annex that allowed some TIA programs to continue.