Use your computer fearlessly.

Mission Services Articles Research

everyone: older news

business: Worms

Medical Privacy Laws Have Deep Flaws

by Brent Kirkpatrick

(Date Published: .)

Your medical data is not safe.

Medical privacy laws rely on a flawed process of de-identification. This means that your medical records can be shared after your name, social security number, and insurance number are stripped out of the record. Unfortunately, if the records are sufficiently detailed, you can be identified even after your record is supposedly de-identified. Medical privacy laws that depend on de-identification are inherently flawed.

Why would anyone share a de-identified medical record? This is done for research purposes and for professional reasons. For example, suppose a scientist in the U.K. invents a new personalized medical procedure, and they want to see if patients in the U.S. would benefit. In this case, some de-identified health data from the U.S. would be given to the U.K. scientist to facilitate the research. For another example, suppose your doctor wants to get a professional opinion from a colleague at a medical school. Medical privacy laws allow them to discuss your 'case' without including your name. Such a discussion may occur over email or at a conference. Yet another example is a government agency that aims to improve the cost of heath insurance. The government may authorize the release of insurance data to researchers or companies that will mine the data for ways to hold down costs. Sometimes this data is posted on the Internet for anyone to download.

syringe with pills

Medical privacy laws allege that all of the above examples respect your privacy. This is simply not true. Given sufficient detail in the record, there are statistical approaches that can re-identify the record (i.e., by putting your name back on your record). For example, suppose you have a LinkedIn profile that record the years and the six cities where you have had jobs. A skilled person that has access to your health insurance transactions can quite likely correlate your LinkedIn profile to the insurance claims for visits to your doctors in various cities. After discovering that correlation, your name is paired to your the health insurance data. For more examples, please see Health Data in an Open World and Open Letter to Genetics Researchers. Your data is not safe under today's medical privacy laws.

The examples we considered are all considered legal under today's medical privacy laws. Consider, now, the involvement of criminal activity, such as hacking or fraud. The criminals might use nefarious ways to access even more data about you, perhaps by hacking a hospital's web portal and stealing medical data. Or they might social engineer their way into a job where they have direct access to health insurance information that they use to commit health insurance fraud.

Please contact us at Intrepid Net Computing if you want a personalized risk assessment for your data.

defendIT image

defendIT (TM). AI-driven incident response measures derived from security incident data.


Chris Culnane, Benjamin I. P. Rubinstein, and Vanessa Teague. Health Data in an Open World. arXiv:1712.05627. 2017.

Brent Kirkpatrick. Open Letter to Genetics Researchers. 2016.

Business Articles

New Technologies for a New Cybersecurity Marketplace

Panther Shadow: A Linux Worm


Why Clean-Up Hacking?

INC Logo

What Is New? | Contact | Tips

© 2015-2021 Intrepid Net Computing. All rights reserved.