We’re all sick of data breaches and privacy intrusions, with just about every new day bringing new stories of shops, banks and restaurants leaking epic amounts of customer information and celebrities having their intimate snaps spread around the internet.
Obscured by these headline-grabbing big-name leaks, a rash of smaller-scale breaches has been leaking a steady stream of data every bit as valuable as our card numbers and every bit as intimately private as our most graphic selfies.
Our health records contain huge amounts of highly personal information, covering everything from the standard addresses, phone numbers and social security codes to a detailed history of our bodies and minds.
Health data is considered among the most private of information, but continues to leak out in a dazzling range of ways.
Larger leaks, of course, tend to be database and website compromises, with the controversial healthcare.gov a major target for attackers motivated by politics or potential profit.
But numerous smaller incidents also add up large amounts of data.
In the US alone, the Washington Post found a few months ago that over 30 million records had been leaked in the five years since the 2009 HITECH act encouraged widespread adoption of electronic records, and imposed strict reporting requirements for any breach affecting more than 500 people.
In just the last few weeks, some of those “smaller” breaches include:
- a pair of unencrypted CDs lost in the post, with data on 44,000 members of an Arizona retirees’ dental plan
- a laptop stolen from a health worker’s car in Georgia, which contained records for around 3000 patients.
- a “small number” of laptops revealed to have vanished from Dallas ambulances over a three year period, with some data potentially accessible.
Those are just electronic records, and of course old-fashioned paper records are not immune from leakage.
Recent cases include details of 40,000 patients being stolen from a doctor’s storage shed in New Jersey, and an undisclosed, possibly unmeasurable quantity of records literally falling off the back of a truck in Omaha.
Of course, our doctors, dentists, psychiatrists and other medical professionals need to keep lots of information about us. And it makes some sense that this data should be shareable between different services, to reduce the workload of gathering it and for easy reference in emergencies.
But it needs to be kept safe. This sort of information isn’t just useful for simple theft or embarrassment, it can be and has been leveraged to blackmail the victims of data breaches.
Whether this encourages better security practices, or simply drains more cash from budgets which are often already tight, is hard to say. Hopefully as the visibility of this problem grows, we’ll start to pay proper attention to the need for extreme caution when dealing with such sensitive data, and demand better from those charged with looking after our data.
We need to cure the tendency of the healthcare industry to be sloppy with encryption, access control and web security. We need to ensure privacy and security are given top priority as we move towards coordinated, all-encompassing electronic medical records.
If the upcoming nationwide data systems prove leaky, the consequences for breach victims could be devastating.