Search the KHIT Blog

Wednesday, February 10, 2016

Here you go, steal my private medical data, let me help out

So, I saw an article of interest today in my email inbox (from one of my many daily feeds,, one having to do with a writer's experience with prostate cancer. Recall my recounting of my own dx and tx last year.
Prostate Cancer: Driving the Personalized Medicine Highway
Howard Wolinsky decides it may all be in the genes

by Howard Wolinsky
Contributing Writer, MedPage Today

Howard Wolinsky a journalist based in the Chicago area, was diagnosed with early prostate cancer in 2010. In part one of this series he described his diagnosis and his decision to chose active surveillance. In the second part, he shared his experience during 5 years of active surveillance and in this part he tells his continuing quest to make the best -- and most informed -- decision about his care...
Nice, thoughtful piece. I could relate, given what I've recently been through. Going public has its net virtues, a decision I made last year as well.

I posted a comment.
Interesting article. Very nice. I was treated for Gleason 6 prostate cancer (3+3, 6 of 12 cores positive, PSA elevating over 18 months to more than 9) last year. My urologist had an OncoType dx assay run, which indicated a mid-level "indeterminate" level of aggressiveness. I opted to zap that puppy with 2 months of daily Calypso IMRT (I called it "Nuke the Donald") after many tests (post-biopsy, including endo-rectal coil MRI and a bone scan) and much consideration -- which comprised both a 2nd opinion consult at Stanford RadOnco and listening to the many stories in my cancer support group. I'm pleased with my outcome this far.

Been writing about the (clinically anxious and bureaucratically frustrating) experience here:

I too have concerns about hype over "Omics-based" "personalized medicine" and will continue to follow developments.
I then tee'd it up on Twitter. I have my tweets set up to post through to my Facebook page. Below, this is what showed up in my FB feed.

Whoa... OK,
"Patient:  Wolinsky, Howard N," 
"JHT MR# T1604312"
"Birthdate:  09/29/1947"
"Gender:  M"
Seriously? Full name, DoB, Gender, MedRec#?

I immediatel
y channeled my Inner Latanya Sweeney. Dr. Sweeney, you may recall, is the noted privacy investigator and policymaker who once backed her way into former MA Governor William Weld's medical record starting out with merely Name, Gender, and ZIP Code.
The Massachusetts Group Insurance Commission had a bright idea back in the mid-1990s—it decided to release "anonymized" data on state employees that showed every single hospital visit. The goal was to help researchers, and the state spent time removing all obvious identifiers such as name, address, and Social Security number. But a graduate student in computer science saw a chance to make a point about the limits of anonymization.

Latanya Sweeney requested a copy of the data and went to work on her "reidentification" quest. It didn't prove difficult. Law professor Paul Ohm describes Sweeney's work:

At the time GIC released the data, William Weld, then Governor of Massachusetts, assured the public that GIC had protected patient privacy by deleting identifiers. In response, then-graduate student Sweeney started hunting for the Governor’s hospital records in the GIC data. She knew that Governor Weld resided in Cambridge, Massachusetts, a city of 54,000 residents and seven ZIP codes. For twenty dollars, she purchased the complete voter rolls from the city of Cambridge, a database containing, among other things, the name, address, ZIP code, birth date, and sex of every voter. By combining this data with the GIC records, Sweeney found Governor Weld with ease. Only six people in Cambridge shared his birth date, only three of them men, and of them, only he lived in his ZIP code. In a theatrical flourish, Dr. Sweeney sent the Governor’s health records (which included diagnoses and prescriptions) to his office.
Lordy. (Note: I first cited Dr. Sweeney in 2011 in reporting on my HealthInsight HIE rollout.)

Let's assume, for the sake of illustration here, that the foregoing Wolinksi PHI data are for real -- "live/hot data" innocently, if naively, scanned for MedPage article art.

Need I elaborate?

OK, I will. First thing I would do as an adroit "social engineer" would be to Google every public fact I could find regarding writer Wolinsky. This would be preparatory to calling John Hopkins with some slick talking points script I'd use to extract everything I could glean (the big prize obviously being private financial/payment data).

Need I elaborate further? Use your imagination.
Tangential erratum: from 2000 to mid 2005 I worked in risk management in a credit card bank. Part of my work involved fraud detection and mitigation/countermeasures. I had routine cross-departmental interactions with a number of bank units: e.g., Compliance, Operations, Collections, and Marketing. I also had unfettered access to the breadth of the bank's internal IT network.
Once, our Marketing luminaries produced and mailed out one of their iterative slick 4-color pitch brochures for national mail campaigns.

It had a pic with live Visa Card number on the cover art.

Need I elaborate on what happened forthwith?
Yeah, we got hit for a bundle prior to tying off that self-inflicted wound.
We also had an "Apply for a Visa Card" feature on our homepage. Curious, I looked at the under-the-hood HTML code.

OK, I entered my son's info (he was in high school at the time, no job no credit history). The data simply went to an unencrypted .txt file visible to and accessible by anyone knowing what "View Source" means.

A week later we got credit card mail pitches at home in Nick's name, all from our competitors. Jeez...
The Sweeney Data Map

Click to enlarge. Where do your medical data go? Source link here.


The National Self-Appointed Privacy Scold.
Give up Your Data to Cure Disease? Not so Fast!
Deborah Peel, MD

This weekend the NYTimes published an editorial titled Give Up Your Data to Cure Disease. When we will stop seeing mindless memes and tropes that cures and innovation require the destruction of the most important human and civil right in Democracies, the right to privacy? In practical terms privacy means the right of control over personal information, with rare exceptions like saving a life.

Why aren’t government and industry interested in win-win solutions?  Privacy and research for cures are not mutually exclusive.

How is it that government and the healthcare industry have zero comprehension that the right to determine uses of personal information is fundamental to the practice of Medicine, and an absolute requirement for trust between two people?

Why do the data broker and healthcare industries have so little interest in computer science and great technologies that enable research without compromising privacy?

Today healthcare “innovation” means using technology for spying, collecting, and selling intimate data about our minds and bodies.

This global business model exploits and harms the population of every nation.  Today no nation has a map that tracks the millions of hidden data bases where health information is collected and used, inaccessible and unaccountable to us.  How can we weigh risks when we don’t know where our data are held or how data are used?...
Worth reading and considering. Notwithstanding that I'm not a Peel fan. (See also here.) I'm still trying to ferret out aggregate coherence in her latest THCB post.

apropos of the privacy thing...
Insurors want to nudge you to better health. So they're data mining your shopping lists.
Rebecca Robbins, STATnews

Health insurers are scooping up huge quantities of personal information in a bid to figure out when you’re likely to get sick — and to design interventions to keep you healthy.

Insurance companies have always had access to your medical records, and in some cases your genetic data, too. Now, they’re paying data miners to sift through information on everything from what model car you drive to how many hours you sleep, from which magazines you read to where you shop and what you buy.

The goal: To decipher patterns that will allow them to steer you away from health emergencies. And to save themselves a whole lot of money in the process.

“I think I could better predict someone’s risk of a heart attack based upon their Visa bill than their genome,” said Dr. Harry Greenspun, a director at Deloitte who leads a team that mines data for health insurers and other clients...
The Digital Panopticon. See also Morozov's "Your Social Networking Credit Score." Recall my coverage of WinterTech 2016? "Digital exhaust"?
One presenter demo'ed an app purporting to generate a general personal "health score" once seeded with some basic info, after which the score would get "refined" by the addition of various social media metrics (the creepy phrase "digital exhaust" comes into play in this regard). Someone used the "FICO score for health" analogy in response.

More to come...

No comments:

Post a Comment