The Reports of the Death of Privacy Were Exaggerated: California Breathes New Life into the Privacy Rights of its Residents

Vast NSA troves of phone and email data and the huge focus on HealthCare.gov’s website provoked intense public concern about hidden uses and sales of personal data…..especially personal health data.

But there is great news from California:  tough new laws to protect data privacy were enacted in September.  See: “The Reports of the Death of Privacy Were Exaggerated: California Breathes New Life into the Privacy Rights of its Residents”, Tuesday, November 19, 2013, by Sharon R. Klein and Odia Kagan

States like CA and TX (HB 300) passed new laws because state residents are demanding stronger data privacy protections, and Congress and federal agencies have failed to act.

Key new data privacy protections in CA:

“Business(es) offering software or hardware to consumers… designed to maintain medical information or to assist in the diagnosis and treatment of individuals” must:

Press your state lawmakers to pass strong new data protection laws like California’s.  People want technology that protects privacy. They won’t trust companies and government that eliminate privacy and use personal data without consent.

Your Posts, Their Ads: Facebook’s Privacy Policy Changes

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

This is a “heads up” about Facebook’s Friday, November 15th Privacy Policy announcement.  I had previously written about the proposed Privacy Policy changes that Facebook announced back in August. While some of those changes have been deleted, the key change has now been made final — and it’s a change about which Facebook users need to be aware.

What’s the change?  By having a Facebook account, users are agreeing that Facebook can use their personal posts, photos, location and other personal information for advertising. Vindu Goel wrote an excellent article about the Privacy Policy changes and how they fit into Facebook’s overall business plan.  He wrote that the changes are part of a broader effort by Facebook of “…pushing its users to share more data while also making that information easier to find” (www,nytimes.com/2013/11/16/technology/facebook-amends-privacy-policies”; “Facebook Reasserts Posts Can Be Used to Advertise)”.

Facebook users should also read the November 15th blog by Erin Egan, Facebook’s Chief Privacy Officer, Policy (https://www.facebook.com; “Updates to Data Use Policy, Statement of Rights and Responsibilities Take Effect”).  In brief, Ms. Egan said that “…nothing about this update changes advertising policies and practices….”   She wrote that the changes only clarified Facebook’s prior policies.

Ms. Egan’s lengthy blog outlines many areas about which Facebook users need to be aware (e.g., use of tags, advertising, setting changes). Facebook users might not mind having their posted information used in ads but they should know what is being done — and what, if anything, they can do about it.  I also encourage Facebook users to periodically visit the Facebook “Site Governance” and “Privacy” pages to keep current on any future policy changes.

Courtesy of Privacy Made Simple.

Health Care and You: Consumer Resources

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

Health care issues, and patients rights, are in the forefront of the news. However, along with the accurate information, there is also confusing and inaccurate information being produced.

The good news for patients and consumers is that they can find accurate information presented in easily understandable terms at the Department of Health and Human Services (HHS) website (www.hhs.gov).  The HHS Office for Civil Rights (OCR) has produced various YouTube videos, fact sheets and brochures that provide up-to-date guidance on an array of topics.

For example, I watched the just-released HHS/OCR video titled “Your New Rights Under HIPAA” (HIPAA stands for the Health Insurance Portability and Accountability Act).  The video highlights some of the important new rights for patients under HIPAA (http://www.youtube.com/watch?v=3-wV23_E4eQ).

The video explains, among other points, that:

  • patients are entitled to get an electronic copy of their information (and that doctors might charge a small fee for copying the records or producing a thumb drive);
  • patients can ask that their doctor send the patients’ medical information to a friend or family member who’s involved with the patients’ medical care;
  • there are new tougher limits on the sale of health information, including the fact that this can’t be done (with a few exceptions) without getting permission from the patient;
  • parents and guardians now have an easier way to share a child’s immunization information with the child’s school; and
  • Privacy Policies of doctors should include information about the above (and other) new rights.

OCR has produced 10 other mini-videos on health issues; they can be found at: http://www.youtube.com/user/USGOVHHSOCR.  They have also produced four consumer fact sheets (available in eight different languages).  The fact sheets can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers.  The fact sheets are handy references guides that are worth reading.

People need to be pro-active to learn how they can access and control their health information, have it shared or not shared as they wish and better protect their privacy.  The HHS/OCR materials are excellent resources that will help everyone do so.

Courtesy of Privacy Made Simple

Information Asymmetry – The Politics of Health IT Policy

Let’s recognize Healthcare.gov as the dawn of mass patient engagement – and applaud it. Before this website, patients were along for the ride. Employers choose most of the insurance benefits, hospital web portals are an afterthought, and getting anything done with an insurance company, for both doctors and patients, means a phone call and paper. Can you imagine going online to find out the actual cost and buy anything? All that changed with Healthcare.gov.

Information is valuable and not evenly distributed. The haves are immensely valuable corporations. The have nots are patients and doctors. Welcome to the world of health IT politics where the rich get richer ($20 Billion of “incentives” have caused massive health IT consolidation and a hidden health surveillance state) and the poor get frustrated (talk to an independent physician about their EHR or to a patient trying to access her own health records).

Information asymmetry drives $1 Trillion waste of our $2.7 Trillion health care cost. That waste is about $3,000 per year per citizen.

The politics of health IT policy are not left vs. right but institution vs. individual. Politicians and regulators alike are now scrambling to understand the role of health IT policy in that $3,000 annual waste per citizen.

The asymmetry that drives health IT policy is easy to understand when you consider that health IT is sold to corporations. As physicians and patients, we do not prescribe or buy information technology and we are paying the price through a total lack of price and quality transparency.

Incumbent “stakeholders” and multi-$Billion not-for-profit “delivery networks” stand to lose half their revenue if our cost structure aligned with the rest of the developed world. Information asymmetry drives our health IT policy as we implement the Affordable Care Act and the HITECH information technology mandates. From the earliest days, the strategy of costly health IT “certification” seems designed to drive small vendors and open source software out of the market. In the middle ages of post ACA health IT policy, circa 2012, our federal health architecture EHR procurement (the VA and Department of Defense, among others) began wild gyrations that have muted one of the few potential sources of rational, citizen-funded open source health information technology. We are now in the predictive analytics era, as our healthcare “providers” figure out how to manage the physician-patient relationship to their economic advantage. They call it Population Health Management.

Population Health Management doesn’t have to increase information asymmetry. Patient engagement and Fair Information Practice principles are not controversial. Combined with patient-directed automation via Blue Button Plus and NSTIC-style voluntary identities, we can have Big Data analytics to drive health reform policy and population health management. All it takes is democratizing access to our own information and reasserting the primacy of the physician-patient relationship. To get there, our federal and state policymakers will need to use the reduction of information asymmetry as a guiding principle.

The opportunities for policymakers to reduce information asymmetry and engage patients abound:

  • Confirm the patient’s right to access all information using Blue Button Plus so we can delegate that access to the physicians and analytics services we trust.

  • Confirm the patient’s right to specify a voluntary identity for patient matching when we participate in health information exchange.

  • Confirm the patient’s right to a real-time online Accounting of Disclosures so that we can know who is getting our information and see what they’re getting.

  • Confirm the physician’s right to communicate with anyone using Direct secure messages without interference from their employer or a state health information bureaucracy.

We already have these rights under existing law. What we don’t have is regulators and public procurement processes that put consumer protection ahead of politics. It’s time for them to step up. Start by fixing Healthcare.gov with privacy-preserving, voluntary sign-in credentials that we can use with Blue Button Plus to access our hospitals, insurers and state databases without risk of identity theft. There’s $3,000 in it for each of us.

Adrian Gropper, MD is Chief Technical Officer of Patient Privacy Rights and participates in Blue Button+, Direct secure messaging governance efforts and the evolution of patient-directed health information exchange.

Check out the Latest from Dr. Gropper, courtesy of The Healthcare Blog.

A Fraying of the Public/Private Surveillance Partnership

To view the full article, please visit: A Fraying of the Public/Private Surveillance Partnership

The lack of data security and privacy on the ‘HealthCare.gov’ triggered national outrage.For the first time patient privacy is a national issue.

Healthcare.gov’s serious technology flaws sparked huge privacy fears even though ONLY one piece of health data is collected, “Do you smoke?”.

The public now fears that the US government and the health IT industry don’t protect sensitive personal health data. Rightly so. See:

 

But current US health IT systems also enable hidden armies of corporations and government agencies to use sensitive personal health data without patient consent.

If our health data was actually private, how could it be sold on the Internet? Three short videos:

 

We have no map of all the hidden flows of our health data. See examples mapping the hidden flows of US health data:

o   states sell health data: http://thedatamap.org/states.html

o   top buyers of health data: http://thedatamap.org/buyers.html

o   data breaches reveal who purchased health data: http://thedatamap.org/history.html

o   health data is easy to re-identify: http://thedatamap.org/risks.html

The consequences of the lack of patient privacy (control over personal health data) are millions people act to keep health data private:

  • Today 40-50 million people/year act to try to keep health data private:

o   37.5 million people every year hide information to try to keep it private

§  November, 2005. National Consumer Health Privacy Survey, California Healthcare Foundation:http://www.chcf.org/publications/2005/11/national-consumer-health-privacy-survey-2005

o   Over 5 million every year avoid or delay early diagnosis for cancer, mental illness, or sexually-transmitted diseases

§  65 Fed. Reg. at 82,779, 65 Fed. Reg. at 82,777, 65 Fed. Reg. at 82,778

§  Or see page 7: http://patientprivacyrights.org/wp-content/uploads/2010/08/The-Case-for-Informed-Consent.pdf

Technology can ensure all the benefits and prevent harms. The idea that we must surrender privacy forever to ‘wire’ the healthcare system is false.

Technology should “do no harm” to patients. The cure is to use tough privacy-enhancing technologies.

Healthcare.gov sends user information to third parties, violating its own privacy policy

You might be interested in this story “Healthcare.gov sends user information to third parties, violating its own privacy policy.” 

The site sends user information to third parties like Pingdom and DoubleClick that are hidden data collectors.  Here you can find a screenshot in which Ghostery is used to show 7 hidden trackers: Healthcare.gov trackers

 

Update on Adobe Attack: Millions More Victims

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

 

Back on October 4th and 7th, I wrote about the hackers who had gotten into the customer Adobe files (see, “Top 5 Things to Know About Abobe Hacking” and “Alert! Adobe Hacking Update”).

 

When the breach was first reported, Brad Arkin, Adobe’s Chief Security Officer, estimated there were around 2.9 million Adobe customers whose Adobe IDs, names, encrypted passwords, encrypted credit and/or debit card numbers (and expiration dates) along with order details had been hacked.  That now seems like a vastly underestimated number.

 

Anna Brading just reported that the final number is 38 million active Adobe customers (see, nakedsecurity.sophos.com; “Adobe breach THIRTEEN times worse than thought”).  Ms. Brading’s report is based on an announcement by Heather Edell, an Adobe spokesperson.   In her announcement, Ms. Edell says that Adobe has finished its investigation during which it identified the 38 million Adobe customers with active accounts who were affected.  Ms. Edell says those customers have already been contacted and that Adobe is now investigating whether any inactive Adobe customer accounts were hacked.

 

This is a “heads up” to Adobe customers — keep an eye on your credit and debit card bills and other financial account statements.  Remember to change passwords and don’t use the same one for multiple accounts.  Do check the Adobe website for further updates.

 courtesy of Privacy Made Simple.

Shine a Light on Online Tracking

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

 

Many consumers know that advertisers and companies are tracking their online footprints.  People might not like it but they accept it as part of using the Internet regularly.

Mozilla understands that consumers might want to know whose tracking them. To do so, Mozilla created Lightbeam, a new app that allows consumers to do just that.  It’s an add-on that can be downloaded onto the Firefox browser.  Lightbeam is an updated version of Collusion which is an earlier Firefox add-on.

How does Lightbeam work?  Nick Heath has an excellent article that also has a screen shot showing how LIghtbeam works (www.zdnet.com; “Want to know who’s spying on you online? There’s an app for that”; October 25).   In a nutshell, per Mr. Heath, each time a consumer visits a website Lightbeam will log “….every web address that is connecting to your machine, revealing how visiting a single website can result in your computer to (sic) connecting to many different web servers. Each of these servers may be controlled by different companies, and send and collect different information —for example, serving up images and adverts on the site or placing tracking cookies on your computer.”

Mr. Heath’s screen shot is a visual depiction of what a consumer will be able to see about the tracking.

I went to the Mozilla site to read more about Lightbeam (https://addons.mozilla.org; “Lightbeam for Firefox 1.0.2″).  The Mozilla site has more details about Lightbeam and the fact that it will enable consumers who download it to see both first and third party sites with which the consumer is interacting.  Consumers will, per the Mozilla article, be able to save a copy of the “connection history” which is the place where a consumer “…can see the specific data collected by the add-on.”

Consumers might want to take a look at Lightbeam, if for no other reason, to understand more about the different methods being used for online tracking.

What a Small Moment in the Obamacare Debate Says About Ideological Media

Politics aside, a huge majority of the public agrees that ALL personal information should be protected online, not just when they apply for Obamacare, use electronic health systems, or search online about health.  The right to control the use of personal health data is strongly supported by 95% of Americans.

But like the public, the author doesn’t know that government and corporations already have access to every citizen’s personal health information. See: http://patientprivacyrights.org/truth-hipaa/  HIPAA has not protected our rights to health ‘privacy’ since 2002.

Key conclusions:

  • “The Bush and Obama Administrations both showed with perfect clarity that they don’t give a damn about the privacy rights of Americans; federal bureaucrats serving in both eras have broken the law to hoover up our private information; and every trend points to a federal government intent on expanding its ability to collect information on Americans and share it among agencies. The U.S. has also shown an inability to protect data it stores from being hacked or stolen. Given all that, it isn’t paranoid to imagine that any health information handed over to the federal government won’t remain private for long. A betting man would be wise to conclude that somehow or other, it will at least be seen more widely than Obama Administration officials are promising—especially if additional steps aren’t taken to make the information better protected.”
  • “Outsmarting the most hackish Republicans isn’t enough to fix the flaws in legislation that you championed and passed, substantial warts and all.”

Congress must pass a strong new law soon to giving patients a clear, strong right to control personal health information.  We should decide who can see and use our most sensitive personal information. The nation’s trust in government will only worsen if we cannot protect even our MOST sensitive personal data, from prescription records, to DNA to diagnoses.

deb

This blog was written in response to the following article: What a Small Moment in the Obamacare Debate Says About Ideological Media

Scammers Using Police Caller ID Numbers: Alert!

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

 

The Better Business Bureau (BBB) has just issued an alert about the latest scam being used by thieves to steal money and/or personal information (see, scam alert@council.bbb.org, “Scammers Impersonate Police with Spoofed Caller ID”).  Consumers need to be very alert to this ploy. BBB says the scams being used all around the country.

The scammers have gotten hold of a computer program that lets them change phone numbers that can be displayed on Caller ID — the spoofing part of this scam.  The scammers are using this technology to send calls with the right phone numbers of the local sheriff or police offices appearing when the recipients hit Caller ID.

The intended victims see the legitimate phone number, answer the call and are then told by the scammers (posing as the local sheriff or police) that there’s an arrest warrant out for them.  BBB reports that some of the scammers have been using the real names of local sheriffs or police officers in the calls — thus making the threat seem more legitimate.

The scammer tells the intended victim that he can avoid the criminal charge by paying a fine.  Here’s the next part of the scam: the scammer says the fine can only be paid by a money order or pre-paid debit card.

Now many people will see through this scam but others will be scared into doing so — maybe because the scammer uses a real name of a local police officer; or because they might not know what fines could exist for them; or because the scammer already has some personal information about the intended victim.  BBB cited the case of a Detroit-area woman who became a victim because the scammer specifically mentioned a loan she’d taken out (that alone raises more problems about how the scammers got that information).

Consumers should remember these “Do’s” and “Don’ts” to avoid becoming a victim:

  • Don’t wire money: legitimate police forces don’t operate by calling people and asking for money over the phone;
  • Do hang up ASAP: don’t call back as doing so might give the scammers more personal information they can later use for other criminal ends;
  • Do call the real local police or sheriff’s office: let them know about the call so they can alert others in the area; and
  • Don’t give out personal information: scams come in different formats and approaches but they all want the same thing — consumers’ money and/or personal information.