Do Not Track? Advertisers Say ‘Don’t Tread on Us’

See the full article written by Natasha Singer in the NY Times at Do Not Track? Advertisers Say ‘Don’t Tread on Us’

Americans are all victims of a massive hidden “surveillance economy” that collects and sells every bit of online information about us (and health information is the most valuable of all). This story is about the battle between the US data mining industry and the consumers, patients, and corporations that oppose secret data mining.

“Brendon Lynch, Microsoft’s chief privacy officer, said a recent company study of computer users in the United States and Europe concluded that 75 percent wanted Microsoft to turn on the Do Not Track mechanism. “Consumers want and expect strong privacy protection to be built into Microsoft products and services.”

“The Association of National Advertisers recently attacked Microsoft because Microsoft’s new browser will automatically tell hidden data collectors ‘Do Not Track’ users online.  “Microsoft’s action is wrong. The entire media ecosystem has condemned this action,” the letter said.”

It’s not surprising to see this attack by the data mining industry on Microsoft. There will be many more attacks as the public realizes the harms that are caused by unfettered corporate and government collection of personal information.  Today’s surveillance economy is based on monetizing personal data, selling intimate minute-by-minute profiles of our minds and bodies.

Re: Social media and patient privacy lessons ripped from the headlines

Karen Cheung-Larivee’s recent FierceHealthcare article, “Social media and patient privacy lessons ripped from the headlines” once again reminds us that health privacy isn’t a concern limited to how information is exchanged in and among doctors’ offices or hospitals. Rather, it reminds us that even the casual ways people reveal parts of their personal lives to their own social networks can sometimes mean violating someone’s health privacy when they reveal sensitive pieces of information about other people’s lives too.

Unfortunately, there aren’t really rules protecting people from the harms that can occur when someone else broadcasts their personal information in the wild wild west of social media. However, that doesn’t mean institutions are completely absolved of their responsibility to protect patients’ privacy, no matter the environment. As the article points out:

One of the most common situations of social media fumbles are patients posting about other patients. Although it’s not a breach of HIPAA or HITECH (because patients aren’t considered “covered entities”), the hospital still has a responsibility under state law to protect patients.

No doubt social media provides a medium that allows us to connect and reach out to others in new and powerful ways. However, as users of these tools, we must also be mindful of how the ways we connect and interact with the rest of the world can have damaging effects on ourselves and others, whether it’s in the here and now or some point down the line.

Has your health privacy ever been violated as a result of social media? Are you willing to talk about what happened so others might learn from your experience? Please use this form to share your story.

Benefits of Online Medical Records Outweigh the Risks- Includes Opposing Quotes from Dr. Deborah Peel

An article written by Larry Magid in the Huffington Post quotes PPR when speaking about the issues surrounding electronic health records. You can view the full article here: Benefits of Online Medical Records Outweigh the Risks.

“There are also privacy concerns. In a 2010 Wall Street Journal op-ed, psychiatrist Deborah Peel, founder of Patient Privacy Rights, complained that ‘lab test results are disclosed to insurance companies before we even know the results.’ She added that data is being released to ‘insurers, drug companies, employers and others willing to pay for the information to use in making decisions about you, your job or your treatments, or for research.’ Her group is calling for tighter controls and recognition that “that patients own their health data.'”

Onward and upward: ONC to automate Blue Button

See the full article in HealthcareITNews: Onward and upward: ONC to automate Blue Button

Why “Blue Button” matters: It is the critical first step to restore your control over personal health data.

  • -If we can’t get our data (via a “Blue Button”), we can’t use or control it—-much less check for errors.
  • -Few of us expect or know that today our sensitive health data flows to hidden businesses and users that have nothing to do with our health or treatment—which is why we need a map of health data flows:
    • -See Prof Sweeney explain this project in a brief video: http://tiny.cc/f466kw
    • -Today’s electronic health system allows millions of people who work for doctors, hospitals, insurers, health technology companies, and health data clearinghouses, etc, to use, disclose and sell our health data without consent.
  • -The current health technology system guarantees harms: like use of personal health data by employers and banks, ID theft and medical ID theft, and health data sales (see ABC World News story that shows the sale of diabetic patient data at: http://tiny.cc/un96kw ).

In 2001, the HIPAA Privacy Rule stated that patients should be able to download electronic copies of personal health data. Finally the federal government, through the Office of the National Coordinator for Health Information Technology (ONC), will actually require all electronic health records systems to let us do that.

  • -FYI—The box to click and download personal health information is known as a “Blue Button”. Some places already let patients do this (the VA system and MD Anderson for example).

When personal control over health data is restored, we can send our records to all the right places (for treatment and research) and NOT send records to hidden users and corporations that use it now to discriminate against us for jobs or credit, for ID theft, to impersonate us and use our health insurance to obtain treatment (medical ID theft), or for insurance, Medicare, and Medicaid fraud.

Your Medical Records May Not Be Private: ABC News Investigation

ABC TV’s Jim Avila shows how easy it is to buy personal health data. He spoke with security consultant Greg Porter, who showed him how to buy personal health information online for $14-$25. ABC News learned about the lack of effective security and privacy for medical records from “Julie” at the 2nd International Summit on the Future of Health Privacy.

Here is the video (after a short advertisement):

You can also see the above ABC News video on medical records at: http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986#.UIQCz1H6Acs

ABC’s print story about the TV news segment tells “Julie’s”  story, quotes Patient Privacy Rights (PPR), and links to our free online consumer protection forms so you can take action to better protect your health data. Use the free consent form and ask physicians and hospitals to honor longstanding state laws that require consent before they disclose your health information. According to HIPAA, providers can refuse to honor requests like this, but HIPAA also says stronger state laws and medical ethics should prevail—so ‘ask’ and tell them to honor your rights to control who sees and uses your electronic health information.

Two University of Miami Hospital Employees May Have Stolen & Sold Patient Data

To view the full Miami Herald article, please visit: Two University of Miami Hospital Employees May Have Stolen & Sold Patient Data

Two hospital employees are accused of stealing thousands of “face-sheets” from the University of Miami Hospital over a 22-month period. These “face-sheets” included information such as name, address, reason for visiting, insurance policy number (note: Medicare and Medicaid use SSNs as insurance policy numbers), date of birth and the last four digits of the social security number. The employees have admitted to their improper conduct and were terminated immediately, but the lasting damage of the stolen information is still being addressed by the hospital and there is no information about how many of these sheets may have been taken. In a statement released released by the hospital, it was revealed that there is “no indication that medical records are at risk”.

Privacy and Data Management on Mobile Devices

See this link for the entire survey of 1,954 cell phone users (see excerpt below): http://pewinternet.org/~/media//Files/Reports/2012/PIP_MobilePrivacyManagement.pdf

When the public learns about hidden data use and collection on cell phones,  significant numbers of people TURN them OFF:

  • -“57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place”

What will the public do when they realize they CANNOT turn off:

  • -hundreds of software ‘applications’ at hospitals that collect, use, and sell their health information
  • -thousands of EHRs and other health information technologies that collect, use, and sell their health information
  • -health-related websites that collect, use, and sell their health information

Survey uncovers lax attitudes toward BYOD security

To view the full article by Eric Wicklund in mHIMSS, please visit Survey uncovers lax attitudes toward BYOD security.

Ask your doctor about his/her smart phone or iPad: does he/she use it for work, is your data encrypted, can the data on the device be wiped if its lost or stolen?

The number of people who work in healthcare using personal devices like smart phones and Apple products is exploding—but many mobile devices lack the strong data security protections required for health data-like encryption. So if the device is lost or stolen, so is the sensitive information about your mind and body.

Key quotes from the story:

* 51% say their companies don’t have the capability of remotely wiping data from a device if it is stolen or lost

* Less than half had (data security) controls in place for mobile devices

* 84%  of individuals stated they use the same smartphone for personal and work issues.

* 47% reported they have no passcode on their mobile phone.

Senator Al Franken is pressing Congress and the Department of Health and Human Services (HHS) to specifically require health data to be protected on portable media. The government is pouring billions into build an electronic healthcare system but failing to require or enforce effective rules to protect our sensitive health information, from prescription records to DNA to diagnoses. Electronic health records are far easier to steal, sell, or lose than paper records because hundreds or thousands of people who work at hospitals and health plans can access our health data.

It’s crazy that health data is not protected by ironclad security protections at all times, no matter where its being used. You’d think even without government regulations for data protection that anyone handling our most sensitive personal information would protect it, but many don’t.

Patient Trust in Confidentiality Affects Health Decisions

To view the full article by Pablo Valerio, please visit Enterprise Efficiency: Patient Trust in Confidentiality Affects Health Decisions

This article highlights a survey sponsored by FairWarning that looks at how “patient privacy considerations impact the actual delivery of healthcare” in the UK and US.

Key quotes from the story:

-“CIOs and healthcare providers need to ensure the best security, not only because it is the law, but because data breaches actually affect how honest a patient might be with a doctor and how quickly they will seek medical attention.”

-“It is not enough to comply with government regulations about data protection. If a data breach occurs patients are not going to check if the institution was following rules, they are going to blame their executives for allowing the breach to happen, regardless of the reasons.”

The survey, “UK: How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes; Trust in the confidentiality of medical records influences when, where, who and what kind of medical treatment is delivered to patients” cited in the article below compares attitudes about health information privacy in the UK and US.

Some key UK findings are:

-38.3 percent stated they have or would postpone seeking care for a sensitive medical condition due to privacy concerns

-More than half of patients stated that if they had a sensitive medical condition, they would withhold information from their care provider.

-Nearly 2 out of 5 stated they would postpone seeking care out of privacy concerns.

-45.1 percent would seek care outside of their community due to privacy concerns

-37 percent would travel… 30 miles or more, to avoid being treated at a hospital they did not trust

US vs UK patients:

-UK patients are almost twice as likely to withhold information from their care provider…if they had a poor record of protecting patient privacy.

-4 out of 10 UK patients versus nearly 3 out of 10 US patients … would put off seeking care … due to privacy concerns.

-97 percent of UK and US patients stated chief executives and healthcare providers have a legal and ethical responsibility to protect patients’ medical records from being breached.

Shoppers, Meet Your Scorekeeper

See the article in the NY Times at: Secret E-Scores Chart Consumers’ Buying Power

Let’s call this business what it really is: data theft, not scorekeeping. This great story by Natasha Singer is in the vein of the WSJ series: “What They Know”. There is no way to know if our e-scores, derived from 50,000+ pieces of personal information, are used only for shopping.

  • There is no proof that eBureau does what the CEO says. Unless eBureau reveals all the buyers of the scores or lets us see all the personal data they collect/steal about us there is no way to know if the scores are used to discriminate against us in key life opportunities.

Natasha Singer writes clearly about the business model of hidden data theft and hidden data mining that is used by so many Internet-based corporations.  She profiles Gordy Meyer, CEO of eBureau, who claims his company makes entirely legal use of millions of online and other personal, electronic clues.  He imagines we freely, consciously give personal data away to corporations like his to create instant, extremely detailed, deeply intimate real-life profiles of every one of us (which he sells at 3 to 75 cents/per profile).

When we simply LOOK or CLICK AROUND a website, we are not in any meaningful way giving consent to hidden data-thieving corporations to collect or use personal information. We are victims of unfair and deceptive trade practices and data theft.

The public simply has no concept that extremely detailed digital profiles are being collected used to discriminate against them:

  • Ebureau then adds several thousand details–like age, occupation, property value, length of residence, and retail history–from its data bases to each customer profile. From those raw data points, the system extrapolates up to 50,000 additional variables per person.”

What are the “several thousand details” eBureau adds?  Could they be details like your searches for information on treatment of melanoma? or STDS?  How do we know what the details are?  eBureau will not tell us.

The story closes with a quote from Frank Pasquale:

  • “I’m troubled by the idea that some people will essentially be seeing ads for subprime loans, vocational schools and payday loans,” Professor Pasquale says, “while others might be seeing ads for regular banks and colleges, and not know why.”

One of the worst parts of this story is that eBureau’s CEO makes assertions that cannot be verified:

  • there is no way to know what data is collected or what eBureau does with it
  • there is no way to know if eBureau “meets regulatory requirements” or “has put firewalls in place to separate data bases containing federally regulated data, , like credit or debt information used for purposes like risk management, from databases about consumers used to generate scores for marketing purposes.” because there is no outside auditing.

My bet is that a HUGE part of what is collected is information about our minds and bodies. We already know that personal health information is the most valuable digital information about each of us. Will purchasers of eBureau’s scores offer a credit card to anyone with cancer or Depression? Will we be able to qualify for loans to send our kids to college if we have genetic risks for breast cancer or heart disease?