23 comments

[ 2.4 ms ] story [ 87.4 ms ] thread
I'm sure they "take security very seriously".
Unfortunately there's no money in privacy, and a lot of money in either outright selling data or cutting costs to the bare minimum required to avoid legal liability.

Wife and I are expecting our third child, and despite my not doing much googling or research into it (we already know a lot from the first two) the algorithms across the board found out somehow. Even my instagram "Explore" tab that I accidentally select every now and then started getting weirdly filled with pictures of pregnant women.

It is what it is at this point. Also I finally got my last settlement check from Equifax, which paid for Chipotle. Yay!

Interestingly in healthcare there is a correlation between companies that license/sell healthcare data to other ones (usually they try to do this in a revokable way with very stringent legal terms, but sometimes they just sell it if there is enough money involved) and their privacy stance... and it's not what you would think. Often it's these companies that are pushing for more stringent privacy laws and practices. For example, they could claim that they cannot share anonymized data with academic researchers, because of xyz virtuous privacy rules, when they are actually the ones making money off of selling patient data. It's an interesting phenomenon I have observed while working in the industry that seems to refute your claim that "there's no money in privacy". Another way to think about it is that they want to induce a lower overall supply for the commodity they are selling, and they do this by championing privacy rules.
> Unfortunately there's no money in privacy

But there should be and there should be punishments for data breaches, or at least compensations for those affected. Then there would be an incentive for corporations to take their user's privacy more seriously.

Your personal data is basically the currency of the digital world. This is way data about you is collected left, right, and center. It's valuable.

When I trust a bank to safely lock away my grandmother's jewelry, I have to pay for it, but in return, if it just so happened that the bank gets broken into and all my possessions get stolen, at least I'll get (some) compensation.

When I give my valuable data to a company, I have already paid them (with the data themselves), but I have no case whatsoever if they get compromised.

> the algorithms across the board found out somehow.

It's worth keeping in mind that this is basically untrue.

In most of these algorithms, there's no "is_expecting: True" field. There are just some strange vectors of mysterious numbers, which can be more or less similar to other vectors of mysterious numbers.

The algorithms have figured out that certain ad vectors are more likely to be clicked if your user vector exhibits some pattern, and that some actions (keywords, purchases, slowing down your scroll speed when you see a particular image) should make your vector go in that direction.

Restrict data collection? It would kill all startups and firmly entrance a terrible provider monopoly who can comply.

Have the government own data collection? Yeah, I don't even know where to start with all the problems this would cause.

Ignore it and let companies keep abusing customers? Nope.

Stop letting class-action lawsuits slap the company's wrists and then give $0.16 payouts to everyone?

What exactly do we do without killing innovation, building moats around incumbents, giving all the power to politicians who will just do what the lobbyists ask (statistically), or accepting things as is?

The solution is to anonymize all data at the source, i.e. use a unique randomized ID as the key instead of someone's name/SSN. Then the medical provider would store the UID->name mapping in a separate, easily secured (and ideally air-gapped) system, for the few times it was necessary to use.
(comment deleted)
Until we can guarantee privacy and security maybe it’s best we shut down Illinois health care system.
The last time this happened, did the AG prosecute the person who discovered the vulnerable data?
I just heard a chorus of AI agents rejoicing that there's more private data now made public available to train on.
It's not often anybody writes a sentence that combines cynicism/negativity about AI with anthropomorphising AI agents!
Several maps created to assist the agency with decisions — like where to open new offices and allocate certain resources — were made public through incorrect privacy settings between 2021 and 2025 ... the mapping website was unable to identify who viewed the maps ... implemented a secure map policy that prohibits uploading customer data to public mapping websites.

So a state employee/contractor (doesn't say) uploaded unaggregated customer records to a mapping website hosted on the public internet?

Sounds like some patients are in for some lucrative free credit and identity monitoring /s
FYI, there's a .gov-maintained portal where healthcare companies in the U.S. are legally obliged to publish data breaches. It's an interesting dataset!

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

This is a suboptimal characterization of this site.

I think it would be less wrong to say this is where covered entities that discover reportable breaches of PHI (whether their own or that of a BA) that trigger the immediate reporting obligation report them.

This is a narrower scope of coverage and shallower depth of epistemic obligation than you implied.

One of my favorite HIPAA stories is about a doctor who utilized his patient list when sending out campaign-related information when he was running for local office. Over 2 decades of schooling and still didn't understand how stupid this was.
I've been saying this forever. Computer security is and always will be nothing more than theater for with some minimal effort to cover bases, like hiring an INFOSEC then ignoring them. No on in charge cares about security because the number of people in charge punished for these breaches is still ZERO.
I've built Healthcare SAAS APIs that required custom integrations with EHR partners, as well as consulted on similar apps for others.

On top of common OWASP vulnerabilities, the bigger concern is that EHR and provider service apps do not have the robust security practices needed to defend against attacks. They aren't doing active pen testing, red-teaming, supply chain auditing -- all of the recurring and costly practices necessary to ensure asset security.

There are many regulations, HIPAA being the most notable, but their requirements and the audit process are incredibly primitive . They are still using a 1990s threat model. Despite HIPAA audits being expensive, the discoveries are trivial, and they are not recurring, so vulns can originate between the audit duration and the audit summary delivery.

Although almost every company issues a 'we care about your privacy' statement, but there is often very little 'money where your mouth is' resources to back that up.

This is why I am almost always very reluctant to give out any information that is not absolutely necessary to provide me the service that I need. If they don't know it, they can't leak it.

Every company wants you to fill out their standard form that tries to get you to volunteer way more info than they really need.

And everyone was fired, the top management has stepped down, and the fines were so massive that nobody ever took a chance with sloppy security ever again. Oh, it's actually the opposite of all that.
one more reason to overhaul the system. if a health care provider has a security incident they should be sued for the value of the data - and if that bankrupts them, then other providers will (hopefully) learn from that mistake. sort of like OSHA