theDataMap

Documenting all the places
personal data goes.

healthDataMap


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.


A researcher receives data from many possible sources, including:

from health payers (e.g. insurance companies) for outcomes studies and economic analyses;

from pharmaceutical companies for clinical trials and drug studies,

from healthcare providers (e.g., hospitals) for outcomes studies and workflow analyses,

from discharge data for a variety of studies (see below),

from public health for a variety of population-based studies,

from you for various forms of consent-based research, and

from combinations of these.

Examples

National Bureau of Economic Research is a private, nonprofit research organization focused on the economy. The National Bureau of Economic Research purchases Discharge Data from at least 3 states: CA, MA, NY [source].

  

Advanced Clinical Research Institute had a data breach in 2012, in California. A vehicle containing paper records was impounded overnight. Some papers with the sensitive information of research participants were discovered missing when the vehicle was reclaimed. The breach occurred on or around January 26. [source].

  

Pacific Institute for Research and Evaluation is a research organization focused on health and social issues, including criminal justice. The Pacific Institute for Research and Evaluation purchases Discharge Data from at least 3 states: CA, NY, WA [source].

  

Aegis Science Corporation had a data breach in 2011, in Georgia. A laptop and external hard drive containing patient information were stolen from a locked vehicle owned by an Aegis employee on November 22, 2011. The external hard drive contained names and Social Security numbers. It may have also contained drivers license numbers, dates of birth, and phone numbers. Though Aegis provides lab tests, results and medical records were not exposed. [source].

  

Yale University is an Ivy League university in New Haven, Connecticut. Yale University purchases Discharge Data from at least 3 states: CA, MA, NY [source].

  

Feinstein Institute for Medical Research had a data breach in 2012, in New York. A laptop stolen on or around September 2, 2012 contained current and former patient names, Social Security numbers, and other personal information. The laptop was taken from the car of a contractor or employee and may have also contained current and former patient mailing addresses, dates of birth, and medical information. Participants in about 50 different research studies that date back an unknown number of years were affected. (13000 records involved) [source].

  

Health Council Of South Florida purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kansas University had a data breach in 2007, in Kansas. A number of documents containing kansas University student, faculty and staff personal information were recovered from the recycling and trash in the Mathematics Department at Kansas University. The information included student exams, student change of grade forms, class rosters, copies of health insurance cards, copies of immigration forms as well as a copy of a Social Security card. [source].

  

John Snow, Inc Karen Schnieder purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Morris Heights Health Center had a data breach in 2011, in New York. A laptop was stolen from the area of MS 399/MS 459. It contained student information from the 2009-2010 school year such as names, dates of birth, genders, heights, weights, body mass indexes, ethnicity, asthma diagnoses, and influenza vaccination information. [source].

  

Abt Associates Inc purchases statewide personal hospital discharge data from at least CA WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

New York Academy of Medicine had a data breach in 2007, in New York. A computer was stolen during an office burglary in October 28. The last four digits of research participants Social Security numbers, full names and dates of birth were on a database on the computer. Some participants also had their addresses and laboratory data exposed. [source].

  

Advancement Project, Healthy City purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Radford University, Waldron School of Health and Human Services had a data breach in 2007, in Virginia. A computer security breach exposed the personal information, including SSNs, of children enrolled in the FAMIS program, Family Access to Medical Insurance Security. (2400 records involved) [source].

  

Albert Einstein College Of Medicine purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

St. Louis University had a data breach in 2011, in Missouri. The Universitys network was hacked on December 12, 2010. The breach was discovered on December 13 and a statement was available on the Universitys website on January 31, 2011. Eight hundred students and 12,000 current and former employees and contractors were affected. Only people who worked for Saint Louis University at some point had their Social Security numbers exposed. Some students who received counseling through the Universitys Student Health Services may have had their names, dates of birth, tests, diagnosis and treatment information exposed. (12000 records involved) [source].

  

Arizona State University purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Temple University School of Medicine had a data breach in 2011, in Pennsylvania. A former Chair of the Universitys Department of Ophthalmology and Assistant Dean for Medical Affairs faces 144 counts of health care fraud and making false statements in health care matters. The former faculty member and doctor is accused of causing thousands of false claims to be submitted to health care benefits programs between 2002 and 2007. The former faculty member allegedly instructed staff members to bring patient charts from other doctors to his office. Patient charts were improperly stored outside of his office and then fraudulently edited to make it seem as though the former faculty member had seen and evaluated the patients. The prosecution claims that after falsifying the documents, the former faculty member collected fees for services he had never performed. The former faculty member is also accused of falsifying the records of patients he had seen. The false claims may total more than $3,000,000. [source].

  

Baker Institiute/Rice University purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

University of Alabama had a data breach in 2009, in Alabama. Seventeen of 400 databases were tapped by hackers. Personal information may have been stolen. One of those computers contained lab results for people tested at the campus medical center. The servers had a database containing 37,000 records of lab data. They contain the names, addresses, birthdates and Social security numbers of each person who has had lab work, such as a blood or urine test, done on the UA campus since 1994. (37000 records involved) [source].

  

Baylor College Of Medicine purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

University of California, Berkeley had a data breach in 2009, in California. Hackers infiltrated restricted computer databases. Personal information of 160,000 current and former students and alumni may have been stolen. The University says Social Security numbers, health insurance information and non-treatment medical records dating back to 1999 were accessed. The breach was discovered April 21, 2009, when administrators performing routine maintenance identified messages left by the hackers. They found that restricted electronic databases had been illegally accessed by hackers beginning on October 9, 2008 and continued until April 6, 2009. All of the exposed databases were removed from service to prevent further attacks. (160000 records involved) [source].

  

Baylor University purchases statewide personal hospital discharge data from at least CA NJ WA IL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

University of California, San Francisco (UCSF) had a data breach in 2007, in California. A computer file server containing names, contact information, and Social Security numbers for study subjects and potential study subjects related to research on causes and cures for different types of cancer was stolen from a locked UCSF office. For some individuals, the files also included personal health information. (3000 records involved) [source].

  

Biddle Law Library, University Of Pennsylvania purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

University of Florida had a data breach in 2010, in Florida. Social Security numbers or Medicaid identification numbers were shared with a telephone survey company and included on address labels sent out to request research participation. The letters were sent through the U.S. Postal Service on May 24th and the issue was discovered on June 6th. (2,047 records involved) [source].

  

Boston University purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

University of Iowa Department of Psychology had a data breach in 2006, in Iowa. A computer containing SSNs of 14,500 psychology department research study subjects was the object of an automated attack designed to store pirated video files for subsequent distribution. (14500 records involved) [source].

  

Boston University School Of Medicine purchases statewide personal hospital discharge data from at least CA FL ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

University of Mississippi Medical Center and Mississippi State Department of Health had a data breach in 2011, in Mississippi. Research study participants may have had their personal information exposed by the theft of a laptop. The laptop was stolen when UMMC employees left the laptop unsecured for a short period of time against departmental guidelines. It was reported stolen on October 31, and the employees who left it unsecured were disciplined. Two databases with research related health information were on the laptop. One had the age, sex, race, medical record number, zip code, and lab results of 1,400 patients. The other database contained unspecified protected health information from 75 patients. [source].

  

Brown University purchases statewide personal hospital discharge data from at least FL CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

University of North Carolina, Chapel Hill had a data breach in 2009, in North Carolina. A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC Chapel Hill research study. The Social Security numbers of 163,000 participants were among the information exposed. The data is part of the Carolina Mammography Registry, a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina.UPDATE (10/6/10): A lead researcher at the University is fighting a demotion and pay cut that resulted from the data breach in the medical study she directs. It appears that the incident firstoccurred in 2007 and was not discovered until 2009. An attorney representing the researcher claims that his client is not at fault because the University knew that the programs computer system had security deficiencies in 2006. The Universityclaims that the researcher acted negligently,butthe attorney claims that the researcher was not alerted to the security flaws and there is no evidence that the researcher violated or ignored rules in obtaining patient information.UPDATE (5/9/2011): The researcher and University reached a settlement. The researcher agreed to retire at the end of 2011 and will receive her full rank and salary until that time. (163,000 records involved) [source].

  

Cal State Fresno/Central Valley Health Policy Inst purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

University of Washington Hospital had a data breach in 2011, in Washington. A customer purchased a piece of furniture from the Universitys Surplus Store that had the medical records of patients. The information in the records was mostly x-ray and MRI images of spines. [source].

  

California Healthcare Foundation purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Wentworth Institute of Technology had a data breach in 2011, in Massachusetts. On December 22 of 2010, Wentworth became aware of a breach that left sensitive student information online. A file was accidentally placed on Wentworths website at some point. Current and former students may have had their names, Social Security numbers, dates of birth and medical information exposed. (1300 records involved) [source].

  
  

(return to health DataMap)



Copyright © 2012-2016 President and Fellows Harvard University.