Sometimes personal patient information can be hiding in plain sight, which is what Memorial Sloan-Kettering Cancer Center learned the hard way about embedded patient data residing in presentations that had been posted on the Internet since 2005.
The Long Island Press reported in June that MSKCC had a “patient data leak undetected for six years,” and that the cancer center had sent out correspondence to a (at that time) still-undisclosed number of affected patients in a letter explaining that in 2005 MSKCC staff created graphs included in a presentation for physicians and researchers.
According to the Press, the letter said that private information was inadvertently hidden behind the graphs and included names, birth dates, medical record numbers, dates of treatment, and some clinical data including treatment information. It was also disclosed in another letter that in some cases Social Security numbers were embedded as well.
Apparently the patient clinical data and private information had been included in a Microsoft PowerPoint presentation that “may have been exposed on the web pages of two professional medical organizations,” according to a privacy alert posted on MSK's website June 15.
The alert said that Memorial had discovered the incidents in April and although the private information was “not visible during routine viewing of the presentation…the graph itself could be manipulated in such a way as to potentially reveal the protected health information.”
Memorial added that its investigation (which was part of its ongoing data security efforts) discovered five separate incidents of PowerPoint files with varying data elements affecting different groups of a total of 880 patients.
“As soon as these incidents were discovered,” the alert said, “we took immediate action and the information was removed,” adding that the center “has taken significant measures to strengthen its information and data security systems, taken corrective action with those involved and educated staff so that this situation does not occur again.”
Memorial said there had been no evidence that the information had been misused; that it deeply regretted that patient information may have been exposed; and that all patients affected were notified in writing in June.
The notice also said that MSK had contracted with an outside data-security company, ID Experts, to assist patients and that media inquiries should be directed to Memorial's public affairs department.
I placed two calls to speak with Christine Hickey, the center's communications director, about several aspects of this story, and received the following email addressing only one point.
“I understand you are looking for where on the web these graphs were posted. Unfortunately, we are not able to identify the organizations, but I can tell you that one was a CME organization and one was a professional organization for an oncology specialty. Both organizations have been responsive and fully cooperative with our investigation and request to remove the information immediately,” she wrote.
Through a series of phone calls I found out that the professional organization was the American Society for Radiation Oncology (ASTRO), and that someone from MSK's IT security department had contacted the society several months earlier asking that a number of presentations be removed.
ASTRO told me that multiple presentations on numerous disease sites from its 2005 and 2006 annual meetings were taken down, and that as an extra step ASTRO “flattened all the JPEGs in the presentations from MSKCC for 2005–2011 to be safe.”
I also learned that the so-called graph manipulation needed to access the hidden patient data required nothing more than clicking on a graph to expose the private information.
In an effort to understand how private information could be embedded in a PowerPoint presentation and what users could do to prevent it, I contacted Microsoft corporate headquarters in Washington State.
My request was routed through Microsoft's PR agency, Waggener Edstrom Worldwide, and resulted in the following email:
“I have connected with my colleagues and we are unable to accommodate your request at this time. I apologize for any inconvenience this may cause....My colleagues recommend you connecting with Memorial Sloan-Kettering Cancer Center for comment.”
I then called Carnegie Mellon University and spoke with Lorrie Cranor, DSc, Associate Professor of Computer Science, Engineering, and Public Policy, who said that similar incidents had occurred at other hospitals over the last several years, and that the potential problem was certainly not limited to health care.
“What happens is that documents with confidential information are put into a PowerPoint presentation, and the person working on the presentation then makes it go away on the screen by cropping it or drawing a box and placing it on top of the information they don't want to appear on the screen. But it's still in the file and accessible to others who click on it.”
She said this often occurs when data from Microsoft Excel containing whole spreadsheets are used in graphs, and although she didn't have any statistics believed it was probably fairly common.
The remedy is to take a screenshot by using screen capture to take a picture of the graph without its embedded data, which is what ASTRO did when it flattened the JPEG image files. Cranor, who also disclosed that she was a cofounder and is a board member of Wombat Security Technologies, said that she didn't know how often this information was included in IT security training.
She also told me about a local Pittsburgh-area physician who gave a seminar to her students: “He mentioned [to the class] that he had been told to be careful about this sort of thing, and in his presentation he had a graph that he had covered so you couldn't see the confidential information,” she said.
“When my students pointed out [and demonstrated] that that confidential information was still there and could be obtained by a click, he was both shocked and embarrassed.”