Havoc sneaks in so often, we shrug. Data breaches, for instance. Hackers break into bank computers or Home Depot terminals to steal credit card numbers, dates of birth, addresses, Social Security numbers.
These are soulless numbers that make up a public identity, but not a personâs actual self.
Here, though, is a breach with a difference.
For one week in late April and early May, a hacker (or hackers) got into servers that held information provided by 22,000 people for 11 mental health studies being done at the New York State Psychiatric Institute.
These were not patients being treated at the institute, but subjects of its research.
They included, among others, schoolchildren directly exposed to the events of Sept. 11; Puerto Rican youth; severely emotional disturbed young people in Westchester County and their caretakers; people in the Bronx suffering from post-traumatic stress who have family in the criminal justice system; students at three schools in Queens and four others in Washington Heights, Manhattan, whose mental health needs were being assessed.
It was a hack with different fingers, infiltrating two servers operated by the State of New York and plucking out information of varying calibers. For about 9,000 people, it captured the kind of data that is sold to identity thieves, like names, addresses and so forth.
But also stored in the servers was what people had to say about trauma, and how they were tossed about by the many storms of human existence â or weathered them. This is useful and powerful information for researchers.
Also, possibly, to criminals.
âMedical records are among the most valuable forms of personal information in the market, and are therefore frequently stolen and heavily trafficked,â Eben Moglen, a law professor at Columbia and a technologist, said.
In this case, the information stored in the servers was coded and was not the equivalent of medical records, Dr. David H. Strauss, the director of research at the institute, said.
âThe data wasnât readily identifiable â there wasnât a medical record, or chart notes,â Dr. Strauss said. âAll the research data was coded.â
That is, when people were asked questions, the answers were recorded as numbers keyed to an answer code. The people were also given code numbers. Their identities and codes were held on a second server. Institute officials hope and believe that the hackers were not able to reverse-engineer the identities and codes to link up people with their answers.
âThe health information itself was coded,â Dr. Strauss said. âIt would be meaningless to the attackers.â
Perhaps. What would have made the data far more difficult to read than simple coding would be encryption, a digital lockbox that is very hard to pick. It thwarts hackers the same way a house safe can stymie burglars: They can break in but cannot get away with the valuables. The state contends that encryption is not practical for active research, though it is used in many fast-paced businesses.
The state learned of the breach from the Federal Bureau of Investigation. Dr. Strauss said that by the time he had heard about it, a state forensic group had isolated the two servers. âA lot of work went on over the course of the next two months to identify the extent of the cyberattack, and the ways in which the data was held,â Dr. Strauss said. The institute notified subjects for whom it had contact information.
Every year, the employees of the institute, which is affiliated with Columbia Universityâs Department of Psychiatry, get privacy training. This episode made what had been theoretical very concrete, Dr. Strauss said.
âTo say that we take it seriously is an understatement,â Dr. Strauss said, noting that the institute relies on people to voluntarily share information.
For about 13,000 subjects, only birthdays and demographic information were collected. Why so much about the other 9,000? They were going to be followed over a period of years, Dr. Strauss said.
The institute is determined to make its data storage more secure, he said.
Who did it, and why?
So far, if answers exist, the state has not made them public.
This seems to be a different, rawer breach than most. But perhaps it is just a criminalized version of what many of us voluntarily submit to in daily commerce or by using social media. Our appetites and anxieties trail behind us, digital breadcrumbs collected by the platforms as the hidden fees we pay for what look like free services.
âBoth the platform companies and we ourselves become active agents in the creation of conditions which are then exploited by criminals,â Dr. Moglen said. âBut our refusal to take our own and othersâ privacy seriously â even when we have Hippocratic or legal duties to avoid doing harm â enables the criminality.â