In 1973, President Richard Nixon’s Chief of Staff H.R. Haldeman warned White House Counsel John Dean against talking to prosecutors investigating the growing Watergate scandal, telling him “Once the toothpaste is out of the tube, it’s going to be very hard to get it back in,” and a useful idiom was born. Personal electronic data, including protected health information, once disclosed, can be equally difficult to recapture and contain.
A recent article in Slate entitled You Can’t Clean Up a Data Spill describes the obstacles to effectively remediating a data breach or improper disclosure in the wake of revelations about the breach involving Facebook data and Cambridge Analytica. As author April Glaser stated, “There’s no such thing as a cleanup site for data spills. That’s because when data leaks, it can be duplicated far faster than anyone can mop it up.”
Cambridge Analytica, a British political consulting firm, provided research, data mining and communication services to campaigns including those of Ted Cruz and Donald Trump. The firm claimed to have developed “psychographic” profiles of voters that could predict their personality traits and political leanings. The New York Times reported that the firm had harvested information from the Facebook profiles of over 50 million users without their permission, and a subsequent CNN report estimates the breach may have affected up to 87 million users. The firm’s chief executive has claimed that the data had been deleted when the improper acquisition was brought to their attention two years prior to the Times article. But how much toothpaste is still in circulation, and can anything be done to recover it?
Facebook founder Mark Zuckerberg has told CNN that Cambridge Analytica provided them with a formal certification from the firm that it had deleted all user data acquired through improper means. Unfortunately, even if that is accurate, it cannot address whether the data had been copied or further disclosed prior to such deletion. According to Slate:
Tracking down and searching where that data has gone will be incredibly difficult,” says Sarah Aoun, a digital security specialist and open web fellow at the Mozilla Foundation. “I’m not even sure it would be realistic.” Maybe it would be easier if the data was “watermarked,” meaning there was some tag on the data to indicate it was the Cambridge Analytica–obtained Facebook data. But Facebook didn’t do that, as Zuckerberg explained to Wired, and even if it had, Aoun says that “any identifiable trace relating it back to Facebook can be altered and then changed and could exist in 10 different shapes and forms online or in the hands of anyone.”
The Facebook/Cambridge Analytica breach is a sobering cautionary tale for covered entities and business associates subject to HIPAA who routinely handle large amounts of PHI. Once a breach occurs and is discovered, it may be impossible to definitively account for all data that may have been copied or transmitted. All the more reason to secure the cap on your EHR tube.