Is that possible? Well, a researcher with Identity Finder, Aaron Titus, believes so, since he says he managed to use internet searches to unearth a trove of unsecured private health records on a website, around 300,000 of them. He notified the company, Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers’ compensation, and they say they have taken steps to secure the data. He states the data was, “available to anyone in the world with half a brain and access to Google.”
As healthcare becomes increasingly web-enabled (sometimes by edict), and more provider companies have access to patient data, there is a growing attack surface for criminals to exploit. The personal information data sprawl also applies to other sectors, i.e. social networking. When companies share and re-share your personal information, it becomes more difficult to reign in security, as the information becomes subject to the security practices of everyone touching it, not to mention security over the wire (or wireless) in between stops. Suddenly, a single break in the chain can expose entire data sets, and after the holes get plugged, the data may cease being private. After all, there really is no way for criminals to “unsee” your information, or “unsell” it to the highest bidder, or for you to make it completely private again, for that matter.
Predictably, consumers are prodding legislators to pass laws with enough “teeth” in them to compel providers to comply with basic security, and remedies if they slip up. A difficult task, especially when the solution will necessarily be technical, beyond the expertise of the average constituent who’s data may be at risk during a breach. Then there’s the need for a regular review and update to the security technology that providers need to implement to stay current with threats as they become more sophisticated. As the legislative wheels turn and companies wrestle with datasharing, it might be wise to do a little work on your own.
So have you googled yourself lately, or variations with your name and terms like “health record?” Hey, while you’re at it, poke around at search terms with both your name and financial information criminals might find useful. Hopefully the result won’t net much, but it’d be nice to know if you get more information than you bargained for.
Author Cameron Camp, ESET