Search


  • Categories


  • Archives

    « Home

    Archive for the ‘Medical data’ Category

    Significant Problems in White House’s Draft Privacy Legislation

    Monday, March 2nd, 2015

    The Obama White House recently released its draft Consumer Privacy Bill of Rights Act (pdf) and a fact sheet. Parts of the draft legislation date to a 2012 white paper (pdf) that laid out a plan to better protect consumer privacy. And last year, the big data group that the White House convened also issued recommendations on privacy (pdf).

    The White House has taken important steps in highlighting that individuals need strong privacy protections for their data and in creating the draft legislation. And it is important that the draft legislation attempts to implement the Fair Information Practices: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. For example, the draft legislation gives several options for responding to companies that would violate the bill’s provisions, including allowing individuals and states attorneys general to file lawsuits.

    But there are several significant problems with the proposal that need to be addressed before it can move forward. (The draft does not yet have a legislative sponsor, which it would need in order to be introduced and debated in Congress.)

    One problem with the legislation: It would preempt state laws.

    SEC. 401. Preemption.
    (a) In General.—This Act preempts any provision of a statute, regulation, or rule of a State or local government, with respect to those entities covered pursuant to this Act, to the extent that the provision imposes requirements on covered entities with respect to personal data processing.

    Read more »

    Privacy Problems Continue with Anonymization of Data

    Friday, February 6th, 2015

    In a recent article for Science, researchers Yves-Alexandre de Montjoye, Laura Radaelli, Vivek Kumar Singh, and Alex “Sandy” Pentland showed that the “anonymization” of personal data is not a guarantee of privacy for individuals. Before we discuss their study, let’s consider that it has been almost two decades of researchers telling us that anonymization, or “de-identification,” of private information has significant problems, and individuals can be re-identified and have their privacy breached.

    Latanya Sweeney has been researching the issue of de-anonymization or re-identification of data for years. (She has taught at Harvard and Carnegie Mellon and has been the chief technologist for the Federal Trade Commission.) In 1998, she explained how a former governor of Massachusetts had his full medical record re-identified by cross-referencing Census information with de-identified health data. Sweeney also found that, with birth date alone, 12 percent of a population of voters can be re-identified. With birth date and gender, that number increases to 29 percent, and with birth date and Zip code it increases to 69 percent. In 2000, Sweeney found that 87 percent of the U.S. population could be identified with birth date, gender and Zip code. She used 1990 Census data.

    In 2008, University of Texas researchers Arvind Narayanan and Vitaly Shmatikov were able to reidentify (pdf) individuals from a dataset that Netflix had released, data that the video-rental and -streaming service had said was anonymized. The researchers said, “Using the Internet Movie Database as the source of background knowledge, we successfully identified the Netflix records of known users, uncovering their apparent political preferences and other potentially sensitive information.” Read more »

    Continuing Debate on Privacy and Use of Newborns’ Blood Samples

    Monday, December 1st, 2014

    There has been considerable debate about the ethical, privacy, and civil liberty issues surrounding the unauthorized or unknowing retention and use of babies’ blood samples for purposes other than disease-screening in the United States and abroad. Often, parents are not told of the possible lengthy data retention period, possible distribution to other agencies, and possible other purposes for which their children’s blood samples could be used. Now, WNCN in North Carolina looks at the situation, and what it finds shows there are also questions about de-identification or “anonymization” of newborns’ medical data.

    Asked what the government plans to do with the data, Scott Zimmerman, director of the N.C. State Public Health Lab, said, “So if an outside agency such as an academic institution approaches us and asks for dried blood spots, there are two approaches that can be taken. One, we can get parental consent to release that dried blood sample to an outside entity. We will not release any DBS that contains patient information without parental consent.”

    Zimmerman added, “The only other way DBS are released is if they are de-identified.”

    Researchers have shown that, often, data that has been de-identified can be re-identified (or “de-anonymized”), and sensitive data could be linked back to an individual. Therefore, there is a significant privacy concern for individuals’ whose information is shared, without their consent, in this manner.  Read more »

    New York Times: Oops! Health Insurer Exposes Member Data

    Thursday, November 13th, 2014

    The New York Times reports that health insurance company Anthem Blue Cross sent e-mails to some customers that contained sensitive information in the subject lines:

    On Monday, in a similar error, some California residents received emails from their health insurer, Anthem Blue Cross, with personal details about them contained in the subject line.

    The text of the emails encouraged members to visit their doctors for checkups and to discuss certain medical screening tests. [...]

    But the emails’ subject lines included member-specific demographic details like age range and language. They also listed possible medical screening tests — marked “Y” for recommended tests and “N” for tests not listed in the email. [...] Read more »

    Fortune: What’s behind the dramatic rise in medical identity theft?

    Wednesday, October 22nd, 2014

    Fortune reports on an increase in cases of medical identity theft in the United States, which has implications for patients’ health privacy:

    In the last five years, the number of data breaches in the medical sector has quadrupled. Last year, for the first time, the medical sector experienced more breaches than any other. It’s again on track to lead in 2014, according to the ID Theft Center. While the health care industry has long suffered fraud by providers or employees fraudulently billing insurers, Medicare, or Medicaid, the medical industry is only just now trying to catch up to the quickly growing threat from hackers.

    With the increasing digitization of health information (in the form of electronic health records) and the formation of health exchanges (due to the Affordable Care Act), the trend in medical identity theft is unlikely to abate any time soon. Personal medical information is useful to many different types of criminals, which is why it fetches a higher price on the black market than financial information. Read more »

    IT News (Australia): NSW to add offshore data rules into privacy legislation

    Monday, October 20th, 2014

    IT News in Australia reports that New South Wales Attorney-General Brad Hazzard is considering new privacy rules for the storing of data offshore:

    The office of NSW Attorney-General Brad Hazzard has confirmed the government’s intentions to update the state’s privacy legislation to make it clear where agencies and healthcare providers stand when it comes to storing data offshore, particularly as part of cloud computing arrangements.

    The NSW Privacy Commissioner, Elizabeth Coombs, finalised her draft code of practice for offshore data hosting and handed it to the Attorney-General in May this year, after a number of aborted attempts by her predecessors. [...] Read more »