Ask HN: How bad is this survey's security?
I am a participant in a longitudinal study.
Periodically I am asked to answer questions in an online survey that:
- verifies my info (address, phone, email)
- verifies my contacts (name, address, phone, email)
- asks about recent doctor visits, prescriptions, hospitalizations, etc.
The login credentials are: - login=email
- password=date of birth
But it gets worse: you can login to a partially completed survey and information previously entered has been saved.I know this is terrible from a vanilla compsec standpoint; but isn't this information covered by HIPAA? What can I tell this organization to get them to understand the severity of this?
1 comment
[ 4.2 ms ] story [ 16.3 ms ] threadEven though I don't remember if the Security Rule specifically covers this stupid scenario, I think they would be found in violation if audited. They clearly have not performed a risk analysis, which by itself is a violation.
[1]https://privacyruleandresearch.nih.gov/pr_06.asp