update 9/24/99
So far only one media news outlet has followed up on this story - ZDTV has managed to find out where the hospital is: Pontiac, Michigan. After broadcasting this as the lead item in their nightly newscast, ZDTV found that the dictating system was manufactured by Dictaphone and is apparently used at hospitals all over the place. (If you know of such a system at another hospital, please let us know so we can determine if private patient records are vulnerable in other locations.) As of now, the system in Pontiac is no longer reachable.

A simple scan of toll-free numbers has turned up a very disturbing item and one which we fear may be all too commonplace.

Somewhere in the United States an insitution known as St. Joseph's Mercy Hospital has confidential patient records accessible on this number with NO PASSWORD or security of any significance. The system allows doctors to dictate all kinds of information about their patients, ranging from admitting/discharge data, cardiac records, mental health records, and an almost unending amount of personal information that SHOULD NOT BE PUBLICLY AVAILABLE! Yet it is, and with every passing day more patient records are being left out for anyone to examine.

This incredible security breach was reported on WBAI's Off The Hook on September 21, 1999. We're still trying to find out which hospital this system belongs to. Because of the sensitive and private nature of this system, we're not disclosing the toll-free number as that would inevitably lead to patient records being altered or erased since there are no passwords on the system. However, we are publishing audio files that show just how much private information is available to anyone with a touch tone phone. Out of respect for privacy, we are bleeping out names and personal info. We will continue to add files to this collection until the system is fixed.

Perhaps this action of ours will anger some people. We hope it does. And we also hope they direct their anger at the proper target - namely the people who design systems so wide open that anyone in the world could do what we did. Hackers don't create these problems - they discover them. Many times though, hackers get the full blame. But in a case like this, we believe that staying quiet would be almost as bad as betraying these patients' privacy by operating such a shoddy system.