Tech Policy Girl

To content | To menu | To search

Privacy

Entries feed - Comments feed

Thursday 7 May 2009

Hacker Demands Ransom for Stolen Medical Records

By Suki Kott on Thursday 7 May 2009, 21:20

As we hear more and more talk of centralizing and digitizing medical records, a recent story reminds one of the importance of being judicious about the storage and protection of such records.

According to a story in Government Technology, a hacker accessed and captured nearly 8 million medical patient's prescription records and demanded a $10 million dollar ransom in exchange for not offering them for sale to unsavory characters. The ransom was displayed to anyone logging into the state's prescription monitoring program web site.

The authenticity of the hack has yet to be confirmed, but if it's indeed as bad as they think it is, the folks whose records were stolen could be at risk for medical identity theft. Records for patients possessing prescriptions for high-valued medications such as oxycontin, xanax, etc. would bring a decent price on the black market.

This incident is a not-so-gentle reminder that government entities are not known for their ability to protect the data of the citizens they serve. And I expect the Obama administration to address such risks in their proposal for centralization of such records.

no comment no trackback

Thursday 25 September 2008

No Probable Cause Necessary for Laptop Data Searches

By Suki Kott on Thursday 25 September 2008, 08:06

The Register reports a significant change in the rules regarding border searches of laptops and other devices. Under the new rules, customs and border agents are authorized to search, analyze and store data without probable cause. For the past 20 years agents had to have probable cause in order to inspect data on the devices of travelers entering into the US. As of July that rule has been (quietly) relaxed, and powers given to agents expanded.

In February the EFF and Asian Law Caucus sued the Department of Homeland Security over these invasive searches, and then in May a federal district court ruled in favor of the searches. This led to some groups requesting that foreign travelers leave their devices at home when traveling abroad to the US.

The question that comes to my mind is how knowledgeable the agents are regarding the devices they're supposed to search. This fella missed his flight because the TSA wasn't able to identify his MacBook Air as a laptop.

no comment no trackback

Sunday 7 September 2008

Lawsuit Digs into Teens' Online Ramblings

By Suki Kott on Sunday 7 September 2008, 23:10

by Ann Althouse on Flickr I remember reading, a year or so ago, about a young woman whose medical care for her anorexia was denied by her health insurance provider. Her parents banned together with other parents posed with similar issues to sue their insurance company for costs incurred in their daughters' treatment. The insurance company's stance is that anorexia is a psychological rather than biological affliction and thus they aren't obligated to cover associated costs. (Which causes one to wonder whether they grant coverage for the ills associated with being overweight -- or smoking and its drawn-out and oft fatal afflictions?)

Then last week, The Economist mentioned an insidious development in the case (Beye v. Horizon Blue Cross Blue Shield Of New Jersey, Inc.). The health insurance company, Horizon, demanded access to all digital communications of the young women -- Facebook, IM threads, blogs, email, text messages, the entire lot. When the lawyer for the girls objected on the grounds of invasion of privacy, he lost.

There are several issues with this. First, the technology is new. Only recently have the Y Generation started taking seriously their elders' warnings about the internet being a permanent system of record for their online activities. Second, the young women are minors so, in my opinion, deserve the protection of privacy appropriate for children. The legal system affords special treatment and leniency for minors in many regards -- this should extend to digital privacy.

And adults should heed the story of this lawsuit as well -- don't blog about your great ski trip to Aspen when you're on workers' comp.

one comment no trackback

Thursday 4 September 2008

Is Your Email Being Used Against You?

By Suki Kott on Thursday 4 September 2008, 00:10

About a month ago the Washington Post reported that NebuAd, a web marketing company, was employing the nastiness known as deep packet inspection (DPI) to target advertising at internet users in Kansas. The only notice the ISP offered their customers was an update to their privacy policy on their corporate web site. This would be like the USPS posting a similar notice on their web site before allowing mail carriers to open your mail, log the contents, and share the findings with advertisers. (For a great write-up on the particulars of deep packet inspection, see the ACM's blog post on the subject.)

Today the Post reports that NebuAd is putting the mass deployment of their product on hold while Congress addresses privacy concerns of the technology. The article goes on to say that several companies have put their trial deployment on the back burner. It doesn't mention how many (or which) companies are continuing with their deployment plans.

I went to NebuAd's web site and found a link to opt out of their 'behavioral targeting solution': http://www.nebuad.com/privacy/optout.php (Note that if you delete your browser cookies, you will need to opt-out again.)

no comment no trackback

Wednesday 13 August 2008

Forgetting Your ID Gets You Added to TSA List

By Suki Kott on Wednesday 13 August 2008, 16:30

USA Today reports that the TSA has been adding air travelers who forget their IDs to their list of potential terrorists. The logic being that this would pick up on terrorists who are looking to discover holes in the TSAs safety process.

The paper reports that they spoke to the TSA chief about this practice, and that later that day he called back to say that they would be discontinuing the practice, and if the on-site officials could determine the traveler's identity, that traveler would not be added to the list. The chief also stated that the records that had already been collected on forgetful fliers would be expunged from their database.

So... How do you collect personal data for someone who has no ID? What exactly was the TSA recording in their database?

no comment no trackback

Monday 18 February 2008

FBI - Unauthorized Email Monitoring

By Suki Kott on Monday 18 February 2008, 17:54

Published in the New York Times is an article on a glitch that gave the FBI access to email messages of an entire internet domain instead of the messages of the lone email address they were authorized to monitor.

The transgression dating back to 2006 was discovered in documents turned over to the Electronic Frontier Foundation as part of a Freedom of Information Act lawsuit the group has brought against the FBI.

no comment no trackback