Jim Dwyer provides additional details and commentary on a breach involving research participants’ data held by the New York State Psychiatric Institute.
[The research participants] included, among others, schoolchildren directly exposed to the events of Sept. 11; Puerto Rican youth; severely emotional disturbed young people in Westchester County and their caretakers; people in the Bronx suffering from post-traumatic stress who have family in the criminal justice system; students at three schools in Queens and four others in Washington Heights, Manhattan, whose mental health needs were being assessed.
It was a hack with different fingers, infiltrating two servers operated by the State of New York and plucking out information of varying calibers. For about 9,000 people, it captured the kind of data that is sold to identity thieves, like names, addresses and so forth.
But also stored in the servers was what people had to say about trauma, and how they were tossed about by the many storms of human existence — or weathered them. This is useful and powerful information for researchers.
From Dwyer’s report, it sounds like the institute was using certain protocols to de-identify the participants. But was it enough to protect them?
Perhaps. What would have made the data far more difficult to read than simple coding would be encryption, a digital lockbox that is very hard to pick. It thwarts hackers the same way a house safe can stymie burglars: They can break in but cannot get away with the valuables. The state contends that encryption is not practical for active research, though it is used in many fast-paced businesses.
Of additional concern, Dwyer reports that the state learned of the breach from federal authorities. He does not explain how the federal authorities became aware of the breach. Did they find the data up for sale on the Dark Web? Were they monitoring a forum where someone bragged about the breach?
Read more on the New York Times.