It?s hard to believe that the state would allow this information out but what is really interesting is that they allowed the personally identifiable information out. If the research was valid (needed) then fine, do it, but make sure you take steps needed to protect the data and the identities of those involved. It?s very doubtful that the name, SSN and address of these individuals were needed to do the research. If it was needed to tie files together, then that information should have been substituted with some other form of key and not used to tie back to name, sSSN, etc. There is a little law called HIPAA that is suppose to protect this data. I hope there is a good amount of legal action taken against the state and the university for this. Maybe then people will start taking it seriously...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/9758/28822#28822