Memorial Sloan-Kettering Patient Data Leak Undetected for 6 Years

Screen shot 2012-06-14 at 4.07.46 PM
Memorial Sloan-Kettering Cancer Center
Memorial Sloan-Kettering Cancer Center has been informing patients that their private information was erroneously posted to unsecure websites for more than six years.

The personal and medical data of a still-undisclosed number of Memorial Sloan-Kettering Cancer Center patients were erroneously posted on the Internet and accessible for manipulation for more than six years before being detected by the hospital in April, according to letters being sent out this week to those affected.

The Long Island Press first reported the patient information leak Wednesday and a spokeswoman for the center verified the blunder. The cancer center, the world’s oldest and largest, also emailed the Press a statement with details about the incident.

The correspondence sent out to inform affected patients, obtained by the Press, reveals that several unknowns still exist regarding the incident, such as who accessed the files containing that information once it was posted to an unsecure website and whether anyone may still have access to that data from saving the un-encrypted files. Additionally, the letter includes statements conflicting with what the hospital reported Wednesday.

“In 2005 MSKCC staff created graphs that were included in a presentation for physicians and medical researchers,” the patient letter reads. “Private information was hidden behind the graphs. The MSKCC staff person who prepared the presentation was not aware that the private information was embedded in this way.

“This information included your name, date of birth, medical record number, dates of treatment and some clinical data including treatment information,” it continues. “No financial data or Social Security number was included in this incident. The hidden data would not have been visible to individuals viewing the presentation in a routine way. However, a person who accessed the presentation could manipulate the graphs to reveal the private information.”

Christine Hickey, the cancer center’s director of communications, told the Press Wednesday that “in some cases Social Security numbers” were included in the exposure. She said she didn’t know “when the data was sent to the website” and that it was unclear how many patients were affected, but that the data leak was discovered and the files were taken down in April.

The cancer center’s written statement to the Press Wednesday stated: “As part of our ongoing data security efforts, Memorial Sloan-Kettering Cancer Center recently discovered a data incident that may have resulted in exposure of clinical data and private information on the Web pages of two medical professional organizations.”

But the letter patients have been receiving states that the data only went to one “organization’s website,” not two.  

Hickey clarified the cancer center’s explanation in an emailed response Thursday to a Press follow-up question regarding whether or not the Social Security numbers of affected patients were embedded on the unsecure websites.

“As we discussed, in some cases Social Security numbers were embedded and in others they were not,” she wrote. “We had different letters to patients depending on the specific circumstances.”

This week’s correspondence to patients continues:

“On September 29, 2005, the presentation was provided to a professional organization for a medical conference. It was posted to the organization’s website from October 16, 2005 to April 13, 2012. MSKCC found the data hidden within the presentation on April 11, 2012, and took prompt action. As a result, the organization removed the file from its website right away and deleted all copies.”

Memorial Sloan-Kettering has conducted a full investigation in an effort to contain this data incident, it states. The presentation is no longer in use by staffers and has been deleted from their files, it continues, before adding:

“We also found that the presentation was accessed by visitors to the website, but unfortunately it is not possible to identify these people and we do not know whether they kept copies of the file.

“To date, we have no indication that any of the data contained in the file has been misused,” it assures. “We also have no indication that users who accessed the presentation became aware of the hidden data behind the graphs. Nevertheless, your information was accessible during the time it remained on the website because the file was not encrypted or password-protected.”

Memorial Sloan-Kettering’s notification did little to calm some of the affected patients, however.

“I feel violated,” says one recipient of the Memorial Sloan-Kettering letter who lives on Long Island and who wished to remain anonymous due to her status as a current patient. “I don’t understand why the government doesn’t regulate or monitor these things to make sure they don’t happen.

“You get sick. You give them your information. You trust them. And then they leak your information,” she adds.

The patient expressed especial disgust and frustration over the Memorial Sloan-Kettering leak because it was the second time she received such news in just as many days. Bethpage Federal Credit Union informed her Tuesday that some of her personal information and financial data was erroneously posted online in a snafu by a former employee, affecting nearly 86,000 members.

Only Visa debit card holders were affected in that incident, said Kirk Kordeleski, the credit union’s president, no Social Security numbers were included and no fraud has been detected.

Memorial Sloan-Kettering’s handling of the data leak contrasts with that of Bethpage Federal Credit Union’s. Where the latter’s president actively answered questions about the snafu to media outlets in an effort to educate the public and spread awareness about the leak—and posted the letter informing members on its website—the cancer center has not.