Posts Tagged ‘Data Privacy Day’

A member of my family has recently been having some medical issues, and has been making the rounds of doctors and other medical practitioners. It is bad enough when someone doesn’t feel well, but what can make it worse? A medical professional being careless with our personal health information in spite of the medical privacy laws (HIPAA and HITECH). A visiting nurse called to make an appointment for a home visit, which turned into a SMS text dialogue. A question from the nurse left me speechless, “Have you received your {INSERT PRESCRIPTION BRAND NAME HERE} yet?”

Really? She really put part of the treatment plan in an unencrypted text message?

Text messaging by a medical professional should be limited to location and time of appointment.

I informed her that in my opinion putting a prescription name in an unencrypted text message was a violation of HIPAA, especially since the patient had never met the nurse or signed any HIPAA disclosures. She said she deleted the messages from her phone and gave me the name of her supervisor. I called the woman, who wasn’t available. I left a voice mail message, saying that I was concerned because putting treatment details in an unencrypted text message was a violation of HIPAA.

Strike two: A week later, no one from the nursing service has called me back.

I called the company that ordered the nursing service, explained what happened and asked that the service be cancelled. I took the patient to the doctor’s office—much less convenient—but a better option in this case. I was concerned that the nurse might be using a personal phone that did not have encryption on it, that she might have games installed (a common source of malware), that she did not use a pass code to lock her phone or that her phone did not automatically lock, or any of 100 different bad scenarios. What further concerned me is that I did not receive a call back from the nursing company. They are supposed to have a HIPAA Privacy Officer, who should have returned my call and explained what they were doing to protect the patient’s information in the future. At the very least, the nurse should have been required to re-take HIPAA Patient Privacy training (which is mandated to occur yearly anyway by the Office of Civil Rights).

Why is this such a big deal?

When you consider that your medical record is worth more to an identity thief than your credit card, it is a very big deal. A CNBC article published on March 11,2016, “Dark Web is fertile ground for stolen medical records,” stated:

While a Social Security number can be purchased on the dark Web for around $15, medical records fetch at least $60 per record because of that additional information, such as addresses, phone numbers and employment history. That in turn allows criminals to file fake tax returns.

Your credit card might be worth one or two dollars at most.

Another informative article, “Is Texting in Violation of HIPAA?,” appears in The HIPAA Journal.

If you feel that your medical privacy has been violated, you can file a complaint with the Office of Civil Rights.

I’m going to call the nursing service again on Monday and ask to speak with their HIPAA Privacy Officer and try to explain my concerns.

The Bottom Line: They lost a client!

Data-Privacy-Day-2015roundInternational Data Privacy Day—called Data Protection Day in Europe—is celebrated in the US, Canada, and 27 European countries every year on January 28. It started on January 28, 1981, when the members of the Council of Europe signed the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data. In the US, Data Privacy Day is sponsored by StaySafeOnline.

Ever thought, why should I protect my information? Listen to Glenn Greenwald’s Ted Talk on Why Privacy Matters. Not only will it help you understand, but it might galvanize you to action!

Some tips on how to better protect your data include:

  • Use “Do Not Track” on your browser. The Electronic Frontier Foundation (EFF) explains how to turn on “Do Not Track” in some common browsers here. The EFF is a great resource about how to better protect your personal information.
  • Think before you share personal information, whether through email, on social media sites, or over the phone. Once you share information, you have no control over what happens to it. Help your children learn what is okay for them to share.
  • Check the privacy settings on social media sites you use on a regular basis. Twitter, LinkedIn, Instagram, Pinterest, … privacy policies change, which may impact your privacy settings.
  • Protect your computer by keeping your operating system and applications updated. On Windows, Secunia’s Personal Software Inspector helps me keep my applications current.
  • Create strong, unique passwords for every important site. Have a problem remembering all those passwords? Me too! Use a password manager like KeePass or LastPass. If you want to protect your information more, use two-factor authentication for email and social media site log-ins.
    • Help setting up Google’s Two-Factor Authentication
    • Help setting up Microsoft’s Two-Factor Authentication
  • Back up your important data regularly—pictures, documents, music, videos, or whatever is important to you—at least once a week. If you use a physical device, disconnect it between backups. To ensure that your information is safe, use two physical backup devices, alternate them, and keep one someplace safe like a safe deposit box. If you use a cloud backup, use a physical back up as well. Online services can go offline temporarily or even go out of business, while devices break, become corrupted, lost, stolen, or infected by malware. Periodically try to recover documents to ensure that your backups are functional.

Other tips

  • Mozilla’s Get Smart on Privacy
  • FTC’s Consumer Information
  • Check out DuckDuckGo, a search engine that doesn’t track you. Want to see how much tracking happens in your browser? Check out the Firefox Lightbeam addin.
  • Try WhiteHat Security Lab’s Aviator browser. Note: if you use two-factor authentication, you will need to enter a code every time you open up a site that uses it.