Leaks and threats to patient data

BMJ 2011; 342 doi: (Published 11 February 2011) Cite this as: BMJ 2011;342:d871

This article has a correction. Please see:

  1. Syed Abdul Shabbir1,
  2. Luis Fernandez-Luque2,
  3. Yu-Chuan Li3,
  4. Min-Huei Hsu3,
  5. Pei-San Lee1,
  6. Wen-Ta Chiu4
  1. 1Institute of Biomedical Informatics, National Yang Ming University, Taipei City 112, Taiwan
  2. 2Northern Research Institute, Tromsø, and Medical Informatics and Telemedicine Group, Computer Science Department, University of Tromsø, Norway
  3. 3Graduate Institute of Biomedical Informatics, Taipei Medical University, Taipei
  4. 4Graduate Institute of Neural Regenerative Medicine, Taipei Medical University
  1. jaak88{at}

The number of thefts of laptop computers and USB flash drives is increasing, and the threat of stolen information being published online is real. The situation may worsen if hackers start to operate websites similar to WikiLeaks.

The US Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provided incentives of about $37bn to encourage “meaningful use” of electronic health records by providers. This initiative has increased the adoption rate of electronic health records, and at least 56% of US hospitals have now implemented them or initiated implementation.1 Meanwhile, illegal publication of confidential cables on WikiLeaks,2 and recent “distributed denial of service” attacks on Mastercard and Amazon3 should be a warning to healthcare providers, patients, and policy makers to rethink security technologies.

Several scandals have been reported from the US and UK about the loss of USB drives and laptops belonging to healthcare staff that contained personal health information of thousands of patients (see table for examples). It is obvious that celebrities and politicians are going to be targeted first: WikiLeaks has already published cables relating to the facial tumour of the president of Bolivia4 and diverticulitis of the colon of the Cuban leader Fidel Castro.5 More platforms might well be launched publishing sensitive patient information, which cannot be blocked effectively by current technology.

Examples of stolen records of patients’ sensitive information from the US and UK

View this table:

Although distributed denial of service attacks do not harm a database, they are generally carried out to prevent people having access to an internet site or to prevent a service from functioning. Now that many hospitals and general practitioners are adopting web based applications and electronic health records, security experts have to be on high alert to take appropriate actions if needed.


Cite this as: BMJ 2011;342:d871