Slashdot Mirror
California Court Posts SSNs, Medical Records
Lucas123 writes "California's Riverside County Superior Court's Web site is serving up document images containing SSNs and detailed medical records relating to civil cases, according to a couple of privacy advocates. All of the documents are free to anyone who knows where to look for them. 'Searches done on the court's Web site turned up various documents related to civil cases that contained sensitive information. Included were complete tax filings, medical reports pertaining to cases handled by the court, and images of checks complete with signatures as well as account and bank-routing numbers.'"
Well, the layout and general ugliness of the site gives an indication as to what could possibly be driving the website.
<meta name="GENERATOR" content="Microsoft FrontPage 6.0">
Ah, a clue!
Only YOU care if your information is made public. There is absolutely no reason for any public or private organization to give a shit, and they make that evident over and over. Until it is more cost effective for them to protect the info than to leak it they will continue to do so. And that's never going to happen.
Bravo to California, Bastion of Democracy... It does raise a question though: How do FOIA requests match up with HIPAA regulations? FOIA generally allows you information on government happenings; HIPAA gives strict guidelines about privacy of Personal Health Information. Which takes precedence?
So, who's going to be the first to file a DCMA take-down notice on the court?
Which is why we need legislation that will fine them for releasing that information.
Another idea would be to demote the person who made the decision to post that stuff publicly to Official Identity Theft Aftermath Cleanup Technician.
What I'm listening to now on Pandora...
the answer is to stop using them for credit scores and ID.
The Kruger Dunning explains most post on
2. You are entitled to at least ONE free credit report per year and depending on your state maybe more. Federal trade Commision's site is the ONLY truly free credit report. Those other sites are trying to sell you other stuff and they're not on the up and up.
3. Check ALL of your bank and credit card statements every month.
4. Any fishyness, file a police report (they won't do anything about it because they have "more important things to do"). That way you'll have a legal document stating that this has happened.
5. Contact a lawyer to see what you can do to penalize such incompetence.
The more you tell your life to government (and anyone really), the more it will find it's way into general knowledge. This is one of the reasons I'm against any "universal" government program. Heck, it doesn't even have to be medical records. Think back to the recent passport flap with high profile politicians. The government is not looking out for you.
Most court proceedings are a matter of public record unless a judge orders them sealed. I should be this way too because we have a legitimate interest in what is going on in our courts. That information is probably relevant to the decisions on the quality of the proceedings much of the time. Frankly as much as its unfortunate for the people and organizations that find themselves in the court rooms, its probably the right thing to do to publish those items.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
once they filch a #, is run it through credit check sites. that's how you know you've been filched, when you see the charges on your bill.
In some courts, "public" information is routinely redacted. You have to get a court order or be someone special to see the originals.
This also applies to evidence in criminal cases too. If I defraud 10 people's bank accounts at ACME Bank, those account numbers may be redacted depending on the court and whether the accounts are still active. If I'm on trial for k1dd13 p0rn or stealing nuclear secrets you can bet the main evidence will be sealed from public view.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If you're really paranoid about identity theft, then go for one of the credit monitoring services run by a credit bureau. The one I've found most useful is truecredit.com, which is run by TransUnion (which, by the way, is by far the easiest credit bureau to deal with in my opinion). It costs a little more than most others ($14.95 per month) but it allows you to update your credit report from all three bureaus as often as you want (daily if you really want to) and offers online dispute filing for all three as well. It works well too, I filed a dispute to Experian through my truecredit.com account and it was resolved within a week.
By the way, I don't work for them or have any connection with any of the credit bureaus other than having to depend on them if I want to get a loan for anything, but I've tried a few credit monitoring services, and that one is by far the best. The only drawback is they often (like every time you log in) try to give you an ad for some "affiliate service" but Adblock Plus has blocked every single one so far, so it just means an extra click on a "continue" button.
I love the fact that this is a California court. California being the leader in privacy protection and breach notifications and everything with their landmark SB-1386 legislation.
This is another perfect example of the federal government not enforcing HIPAA whatsoever. Its a great standard. Like PCI, easy to read, very prescriptive, and leaves little room for interpretation. Unfortunately, because of the way it was put into effect, it will likely never be enforced.
The only fallback that people have legally is that California privacy bill that's mentioned in section 12 of PCI.
-- http://www.criticalassets.com
While it is unfortunate that such things as SSN's are being made public, the hard reality is that anything contained in a court record is public information.
Open access to government is a two way street, and is meant to prevent corruption and give the public a clear view what their government is doing.
On a side note, my county also publishes court records on the internet that are public information. However, it is limited to the court schedule, case#, charge, and attorney schedule.
The fact that this schedule is public information is still not a concept some people are aware of. Ive heard stories from court employees of upset people coming in and demanding that their DUI case be taken down from being publicly viewable. Unfortunately for these people, the law says otherwise.
I even have personal experience in some of the reactions people have to this publicly available information after I posted a link to the county courthouse on one of my websites. A Company called Caton Commercial even went to far as to have their attorney draft a cease and desist letter threatening me with legal action, and demanding that I remove this linked information, and turn over my legal domains to them to stop this 'knowingly libelous' action. Although, Im not sure that they thought through how they were going to present to a judge their case that the courts own website schedule was the source of this so-called libelous information. Like every other company before that has failed to grasp the concept of the internet, all the attention this brought to the linked information was a lovely demonstration of the 'Streisand Effect'. Once again, adding more weight to the phrase 'more dollars than sense'.
Social security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law enacted on or after October 1, 1990, shall be confidential, and no authorized person shall disclose any such social security account number or related record.
So I really can't imagine the court can defend this in any way at all.
I don't know how it is now but before 9/11 an adult could get a passport if they had two people testify that they knew the person well for 10 years.
The intent was so Ma The Farmer's Wife who never had a birth certificate or driver's license could get a passport even if she'd lost her family Bible and birth records in a fire and the doctor or midwife who birthed her was also dead. She could round up a few people who knew her for a long time and get a passport.
These days, with very few Americans under 50 lacking birth certificates and almost every adult and child with a Social Security card, the need for this "undocumented non-alien" provision is greatly reduced.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Freezing your credit is better than a monitoring service because with freezing nobody, even you, can open a new line of credit (you have to "thaw it" for a fee of course, in order to open any new line of credit.) Monitoring services can still allow someone to open a line of credit - you just know about it before pulling your credit report.
Just to see how it's done, have a look at the way the Italian Government handled things (http://news.bbc.co.uk/1/hi/world/europe/7376608.stm).
See? Now *that's* what I call disclosure. Those piddly efforts in California don't even come close.
Lets face it, the concept of a SSN being a positive identification needs to just stop. Do I have a solution? No, but the fact that somebody can walk into a bank and open an account in my name simply by possessing My publicly available address, and a 9 digit number needs to be looked at as an absolute failure. The tin foil hat wearing crowd will object until the very end, but IMHO biometrics need to become the standard. A retina scan, is something that is not easily forged (i'm not saying its not possible, but i don't know of any existing tech. that does it). Smart card technology is only going to get better and, as encryption gets stronger, people need to start trusting it more. I would absolutely not be opposed to an ID with my photo, and a retina scan embedded onto a smart card as a form of positive id. Should I have to submit to a retina scan in order to buy a drink? Absolutely not, but the credit system is about to die. It simply isn't something that can be trusted anymore. It is far far far FAR too easy to snatch somebody's identity.
NewslilySocial News. No lolcats allowed.
HIPPA
Somebody's in some DEEP SHIT over that. Iinm a judge can't order that a federal law be broken unless that law has been deemed unconstitutional.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
They say that if I am a good citizen who is following the rules, then I should have nothing to hide, and shouldn't mind a high level of governmental monitoring of my private life.
Well I DO have something to hide *from criminals.*
The data that the government monitors gets stored and handled by an incompetent IT staff overseen by decision-makers who are even less competent. The level of data tracking that the government insists it is justified in doing directly harms the people being tracked, not because of abuse from the government itself (though that is debatable, of course), but because of abuse from the criminals who manage to gain access to that data.
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It regulates Health Insurance. It contains a Privacy Standard that regulates how Protected Health Information (PHI) may be used. A little piece of it says that your SSI# can't be used as your ID number in health insurance. There are still lots of legitimate uses for that number both in and out of health insurance.
Nothing in HIPAA has anything to do with the court system. I want court records to be public documents. I want unredacted court records to be public documents. We don't need secret courts and we don't need secret police, whatever George Bush might think.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
It only exists to make money for lawyers.
If you have ever been unlucky enough to be involved with a lawsuit, you know how greedy and "entitled" these "officers of the court" are.
Unfortunately, all of the costs of identity fraud are borne by the consumer, while all of the benefits of quick/insecure identification are reaped by the lending industry.
Strong and secure methods of identification and verification need to make their way into the financial world, but changing the existing infrastructure is expensive, so it isn't going to happen. At least, not until some enterprising individual has their identity stolen and successfully manages to sue the lending industry for fraud...
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
Seriously.
Perhaps if we placed MORE value on integrity - people would behave better.
Not likely but a Calvinist can hope!
Take a big fat sharpie and blacked out all account and SS #'s. Really.
San Francisco Photographers
Add to that the problem of Public Records - if you charge to access them (presumably to limit access), they're no longer public. Public Records also have all the other problems you find in "human based documents" - misspellings, typos, gramatical mistakes, etc. Public Records are one of those things that remind me of Winston Churchill's comment about Democracy - "Democracy is the worst form of government except for all those other forms that have been tried from time to time."
Haven't these people heard of computers? You know, those things you use to rapidly search for digital needles in digital haystacks?
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Remember kids, if you are a public interest blog, you are gagged for simply having the POTENTIAL to release this information.
It's perfectly ok though for the federal government to actually do it.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
FOIA has some exclusions, but it doesn't matter because HIPAA is a joke.
For example:
I used to be a full time preventer of natural select (firefighter/paramedic) working for a city government. Under the FOIA they were supposed to release out information excluding a few tidbits like SSN, medical screening, etc. However, it was only applied when it benefited the city. If a reported wanted to inspect an employee's file, if the reporter was a city friendly one, they wouldn't remove or blank out any personal information. However, if the reporter was touching on a sensitive area or had a past of irritating the city, they would use the exclusions to delay and only release partial information. Whenever it served a purpose, HIPAA was used as a loophole around the FOIA
As for HIPAA, naturally, when someone would call for an ambulance, we would obtain personal medical information and their SSN (SSN was required to be collected by the state for statistics, whole different issue). This information was documented on a medical report which was stored, passed to the receiving hospital, and reported to the state. Name, address, age, medical issue, and what treatment you received was also documented in a journal.
Originally, when HIPAA went into effect, the attorneys determined that we didn't need to comply because according the the definitions in HIPAA, we were not health care workers. Later on they determined that even though we didn't NEED to comply, that they could cut down on requests for reports if we blocked out some of the more interesting section before releasing them. The legitimacy and ethicalness of releasing some of this info was brought up numerous times only to have FOIA used as the justification. Since HIPAA allows sensitive information to be released if it is needed to conduct your service, FOIA becomes a huge loophole.
So, when it's all said and done, if someone (maybe not even you) called an ambulance for you, it could then be public information if you had a drug problem, AIDS complications, attempted suicide, needed extricated from a goat, as well as your name, age, and address. This was documented in the journal which was public and never censored. BTW , If you weren't cooperative by answering everything we needed you HAD to go into the hospital (an additional issue).
On a separate note, the papers used to publish every call including the persons name, address, and problem.
1000 persons info released,
ALL management SSN/etc. info posted, person-by-person.
The mgt & the screwed-customers can TOGETHER set about re-constructing their lives.
Mgt won't do it *again*, see...
( experience is the only force that makes meaningful understanding )
Judges and court clerks should be required to take a privacy course and be responsible entering private information (such as SSNs, signature, bank routing numbers, etc...) into public record. I second that we need well defined legislation that covers public and private entities from this wrong doing. I agree that some information should be made public (only in court cases), but in many cases a judges judgement or order can describe that information in a more vague way. With the recent trend in identity theft and online court records this will be important. Also, for those who believe all court records should be made public, please consider if you were prosecuting someone for defamation or libel (your ex spouse blogged false and defamatory statement about you online). If you tried prosecuting something like that, you would draw publicity and open up the very private matter you were trying to fix.
There are such things as HIPPA laws that are meant to protect medical information. I have dealt with this a bit in my last job writing code for insurance companies. There is a whole pile of regulations that need to be followed.
The court put up their public files online. Some clerks forgot to blank out or scanned in the wrong papers just a few times out of the hundreds of thousands of records, and a few social security numbers got accidently released. Why isn't this expected just as a part of human error, when companies are leaking thousands at a time due to the acts of rogue database operators looking to make a buck?
I'll bet I can find more social security numbers and bank account numbers from my apartment dumpster than is on that website.
Absolutely- if you're looking to prevent identity theft, rather than learn about it after the fact, a security freeze (sometimes called a credit freeze) is the way to go.
Credit monitoring is expensive and does nothing to stop ID theft. Sure, if somebody does use your identity fraudulently, you'll get an e-mail about it but the damage is already done.
You're paying $180/year just to learn you've been screwed sometime after it happens!
On the other hand, security freezes locks your credit reports with a PIN. No one can take out a line of credit without that PIN.
And it's only $30/year, plus $10 when you want to temporarily unfreeze it.
Unless you take out more than one loan a month, you're saving money over credit monitoring. Plus, you're getting ID theft security that is proactive, rather than reactive.
Credit monitoring is good if you want to buy your credit reports in bulk or if you want to check your credit score every day. But as an identity theft solution? Sorry, I'm not sold!
If they cause irreparable damages or harm, they can still be held liable.
There is no two way street here. There is no reason we can't have an open government without web cams in our toilet seats. Do not be rediculous.
It doesn't take a rocket scientist to know the risks. If it were anyone else they would surely accuse them of intentional endangerment.
Why do we just not make the jump and make everything public?
Our information is out there. It is getting leaked. It is being rampantly abused. Why not just make all of our information public?
Why note create nice, neat databases with comfortable user interfaces that can query all of your, currently, personal information? And apply this to *every* one and *every* organization. No clauses for 'national security'. Everyone gets to know everything about everyone whenever they want.
Works well with cameras everywhere and GPS. Should we issue $100,000 in credit in your name? Well... you passed the DNA, finger-print, and retina tests and had the appropriate federal ID and pin; but, lets check the camera closest to your location to make sure that it is you too...
And you could watch our president 24/7 (as well as any other government official you wanted). Rummage through all their financial information and determine where their special interests are.
Of course, server rooms and back-up/long-term storage would have to be monitored as well and the information kept for as long as the media would allow.
True, an oppressive regime *could* abuse this system by turning off the surveillance, however, if we had a well armed and educated populous, this would not be an issue. (Before someone asks, yes, I'm ok with civilians having anti-tank, and larger, weapons. I wish basic arms could be a *requirement*.)
[insert witty comment here]
It's funny how everybody here gripes and moans about freedom of information and whatnot, but when something is provided you just want to complain about that.
This is an example of a government agency trying to make public information available to the public. All of the cases shown are civil cases which have been filed by persons in the court. All of the information was given to the court by the persons involved because of the the civil cases they started. The information contained within the documents is public information. A reasonable person would know that. I don't see any reason a social security number should EVER even be needed within a civil case. If you don;'t want it becoming part of public record don't place it with a public agency that is required to disclose the records in the name of free information.
Regarding the checks that are viewable online it is a moot point. You can use a bank account and routing number and put it on a check with any name on it and it will fly at any bank (except usually for the originating bank) or supermarket. Online checks are even better because you don't even have to sign them or see anybody that may be able to identify you at some future point.
It's not like they're showing you the documents regarding criminal cases (you can only get the minutes). You'll see that if you search for someone's name in a criminal matter you'll only get birth month and year and basic description, which is necessary because you have some common names. Example, Search in the desert court for "Fred Garcia." You'll see a Fred Garcia (multiple times, different aliases) with a birthday of 06/1975. It appears he is scum of society, with multiple pending cases for burglary, robbery, possession of stolen property, possession of controlled substances, battery, and resisting, obstructing, or delaying a peace officer. Which is different from Freddy Garcia 11/1981, who only has minor traffic violations. If you want to have fun try, "Jose Vasquez" or "Juan Perez."
I'd assume the only reason he is not in jail or prison right now is because people whine about the prisoners being victims of not enough bed space and such. What about the people that these guys victimize, when they get out they just do it again and there are more real victims. Jail and prison is not supposed to be a fucking resort with free health care, it's a punishment for doing something offensive to society.
I believe they're doing a good job of making it easy to access information that is available to the public. They also do a decent job of withholding information that could easily be abused. Instead, we should be talking about how nice it is that they have made this effort and perhaps have a comment or two about how it could be made better. It's like watching the Olympics and instead of congratulating the guy who won, talking about any mistake he made while winning while ignoring the gold medal.
Nothing will ever be good enough. Government will always suck because no policy will ever appeal to everybody. The police will always be oppressive because people don't like being punished for what they've done. Etc. etc. etc.
I suggest most of you go to your local police department and ask to go on a ride along. Most departments allow them to people without criminal records. My first ride along was an eye opener. Perhaps you will get a better grasp on what happens in the rest of the world while you're text messaging, using your latest gadget, or installing Linux on your refrigerator.
I know these seem like senseless ramblings, my point is you all whine too much.
---------
Swearing is the crutch of inarticulate mother fuckers.
Can I whine about your whining about whining?
[insert witty comment here]
Most certainly not. :)
---------
Swearing is the crutch of inarticulate mother fuckers.
Buuuuuuuuuuuuuuuuuuuuuuuuuuuuuuut I neeeeeeeeeeeeeeeeeeeeeeeeeed to be able to whine about your whining about whining.... pullllllllease......
[insert witty comment here]
I believe this is a breach of HIPAA federal regulations as well.
Your all looking at the wrong server. (not to mention RTFA...) The article isn't talking about medical records systems or doctor/hospital systems. The abstract clearly says it is a court system serving up civil case records. Health care systems? Huh???
The server http://www.riverside.courts.ca.gov/ is just the main directory for all of the court's web presence. You did notice that there aren't any personal documents there didn't you?
The court records are served up from: http://public-access.riverside.courts.ca.gov/
The Microsoft tags are conspicuously absent. In fact the cleanliness of the headers would lead me to believe it was some sort *nix box. It doesn't make a difference because the problem isn't the OS.
The problem is the data that they are serving up. They have a legal requirement to clean the records of tax ID numbers so this will probably be cleaned up now that they have been publicly embarassed.
Seems a local bank (one that apparently doesn't scan in all their checks before shipping them out to a check-processing house) gathers up all the negotiable instruments (checks, mostly), puts them in a pouch and gives them to a bonded courier.
On one particular day, the courier stopped off somewhere during the not-so-swift completion of his appointed rounds. And, while s/he was out of the vehicle, the pouch was stolen. (The couriers are used to take the bank's "work," they call it, to a check-reading, inputting/keyboarding/scanning company 50 or 60 miles away, in this particular case.)
The subject bank intended to send a letter to everyone whose checks were stolen to stop payment on them, and show the letter to each persons' bank to request that the $25 or so stop-payment fee be forgiven. However, as subject bank had no record of what checks were stolen, they were hard-pressed to send the letters out. (They had input the depositors' figures and credited his/her account with that amount, subject to possible adjustment later.
About a week after this theft took place, my bank called me to ask if I had faxed them a $6,850 wire transfer request. On it were my name, address, bank routing number, account number, all that good stuff. The payee was to have been a bank in Japan (cool, hunh?!).
Of course both my bank and the subject bank said this effort was a naÃve, amateurish one, inasmuch as the bank(s) would never, ever make a wire transfer without the transferor showing up in person and signing the transfer authorization document.
But I confess that seeing all my check information â" in differing fonts, mind you (bold sans serif for my name, light-face sans serif, in smaller point size, for street/city/state address â" left me with a slightly uncomfortable feeling. It's bad enough that folks like my grocery store (Hannafords) and retailers like TJ-Max, or TJX corp, lose millions of digital records (with the thieves apparently having physical access to the computers, in Hannaford's case), but when they can't even keep control of the analog documents themselves, wowsers. Double-plus-ungood.
Saw this video today regarding the Riverside Court exposing the thousands of social security numbers. Definitely looks like they have their hands full. http://www.vimeo.com/988775