The inadvertent disclosure of personal health information through peer-to-peer file sharing programs
- Khaled El Emam1,2,3,
- Emilio Neri2,
- Elizabeth Jonker2,
- Marina Sokolova2,
- Liam Peyton3,
- Angelica Neisa2,
- Teresa Scassa4
- 1Department of Pediatrics, Faculty of Medicine, University of Ottawa, Ottawa, Ontario, Canada
- 2Children's Hospital of Eastern Ontario Research Institute, Ottawa, Ontario, Canada
- 3School of Information Technology and Engineering, University of Ottawa, Ottawa, Ontario, Canada
- 4Common Law Section, Faculty of Law, University of Ottawa, Ottawa, Ontario, Canada
- Correspondence to Khaled El Emam, CHEO Research Institute, 401 Smyth Road, Ottawa, Ontario K1H 8L1, Canada;
- Received 19 January 2009
- Accepted 22 December 2009
Objective There has been a consistent concern about the inadvertent disclosure of personal information through peer-to-peer file sharing applications, such as Limewire and Morpheus. Examples of personal health and financial information being exposed have been published. We wanted to estimate the extent to which personal health information (PHI) is being disclosed in this way, and compare that to the extent of disclosure of personal financial information (PFI).
Design After careful review and approval of our protocol by our institutional research ethics board, files were downloaded from peer-to-peer file sharing networks and manually analyzed for the presence of PHI and PFI. The geographic region of the IP addresses was determined, and classified as either USA or Canada.
Measurement We estimated the proportion of files that contain personal health and financial information for each region. We also estimated the proportion of search terms that return files with personal health and financial information. We ascertained and discuss the ethical issues related to this study.
Results Approximately 0.4% of Canadian IP addresses had PHI, as did 0.5% of US IP addresses. There was more disclosure of financial information, at 1.7% of Canadian IP addresses and 4.7% of US IP addresses. An analysis of search terms used in these file sharing networks showed that a small percentage of the terms would return PHI and PFI files (ie, there are people successfully searching for PFI and PHI on the peer-to-peer file sharing networks).
Conclusion There is a real risk of inadvertent disclosure of PHI through peer-to-peer file sharing networks, although the risk is not as large as for PFI. Anyone keeping PHI on their computers should avoid installing file sharing applications on their computers, or if they have to use such tools, actively manage the risks of inadvertent disclosure of their, their family's, their clients', or patients' PHI.
Competing interests None.
Ethics approval This protocol was approved by the Research Ethics Board of the Children's Hospital of Eastern Ontario Research Institute. The CHEO RI Research Ethics Board has a Federal Wide Assurance (FWA) certificate (FWA00003131) from the Department of Health and Human Services in the USA (see http://ohrp.cit.nih.gov/search/ and search for FWA # 00003131). An FWA certificate formalizes the institution's commitment to protect human subjects, including compliance with US laws, regulations, policies, and guidelines related to the conduct of research on human subjects (http://www.hhs.gov/ohrp/humansubjects/assurance/filasurt.htm). This board also follows the Canadian Tri-Council Policy Statement on Ethical Conduct for Research Involving Humans (http://pre.ethics.gc.ca/eng/policy-politique/tcps-eptc/), which is produced by the three main research funding agencies in Canada: the Canadian Institutes for Health Research, the Natural Sciences and Engineering Research Council, and the Social Sciences and Humanities Research Council.
Provenance and peer review Not commissioned; externally peer reviewed.