AI Company Leaks Over 2.5 Million Medical Records

erek

[H]F Junkie
Joined
Dec 19, 2005
Messages
11,144
"The medical records are quite detailed and include names, insurance records, medical diagnosis notes, and payment records. It looks as though the data was sourced from insurance companies and relates to car accident claims and referrals for neck and spine injuries. The majority of the personal information is thought to be for individuals located in New York, with a total of 2,594,261 records exposed. Fowler sent a responsible disclosure notice to Cense AI and public access to the folders was restricted soon after. However, the damage has potentially already been done if others had previously discovered the data was available. Fowler points out that medical data is the most valuable on the black market, fetching as much as $250 per record. If someone willing to act maliciously came across this data you can guarantee it is, or has been sold."

https://it.slashdot.org/story/20/08/18/2115229/ai-company-leaks-over-25-million-medical-records
 
This is why personal data should never be collected and stored by anyone, no matter the purpose, even if you trust their intentions. (which I don't)

Stored personal data is always a target.

We need to get back to the point where individual pieces of data stay on some form somewhere in a filing cabinet, or in a server log, and are never collected, bundled and analyzed unless necessary to solve an immediate problem, and then are destroyed immediately after the analysis are complete.

They can't steal data that hasn't been collected.

End big data. Permanently.

There is no conceivable way it can be properly and safely used, and should never exist.
 
You can't not have data collection. It's crucial for some fields. Going back to filing cabinets isn't the answer either

I say everyone that wants to collect data needs to have some sort of certification or clearance to do so where standards are maintained and audits performed
 
I really wonder sometimes how companies manage to fuck things up like this, like what the fuck are you doing that this data as a whole is ever touching the internet.

Your sysadmin instincts should be fucking screaming.
 
You can't not have data collection. It's crucial for some fields. Going back to filing cabinets isn't the answer either

I say everyone that wants to collect data needs to have some sort of certification or clearance to do so where standards are maintained and audits performed


I think there are a few critical fields.

Financial industry, credit bureaus, maybe one or two more, but other than that it should be it.

If there are some industries that can't exist without it, then maybe those industries shouldn't exist. I'm fine with the economy taking a financial hit in exchange for retaking our privacy.

My suggestion would be that private data is always the property of the person it describes. They must be informed when it is collected, and they can revoke the access to it at any time.

At no point should it be used to the advantage of anyone but the person who it describes.

Google, Facebook and others can go out of business for all I care. I'm sure they can make enough to survive by reverting to a contextual only ad model that does not rely on data harvesting. Sure it won't be as profitable, but I don't give a rats ass.
 
I really wonder sometimes how companies manage to fuck things up like this, like what the fuck are you doing that this data as a whole is ever touching the internet.

Your sysadmin instincts should be fucking screaming.

Selling it lol
 
I think there are a few critical fields.

Financial industry, credit bureaus, maybe one or two more, but other than that it should be it.

If there are some industries that can't exist without it, then maybe those industries shouldn't exist. I'm fine with the economy taking a financial hit in exchange for retaking our privacy.

My suggestion would be that private data is always the property of the person it describes. They must be informed when it is collected, and they can revoke the access to it at any time.

At no point should it be used to the advantage of anyone but the person who it describes.

Google, Facebook and others can go out of business for all I care. I'm sure they can make enough to survive by reverting to a contextual only ad model that does not rely on data harvesting. Sure it won't be as profitable, but I don't give a rats ass.

Then the price of the data will go up and guess who else would sell it. Financial industry, credit bureaus? The data exists and is harvested in more ways then you know. And of course when there is value at stake someone will cash in
 
I’m not a huge fan of Gov’t regulation but this shit needs to stop a decade ago. We should fight to declare ownership of our data and fight these guys like we were the RIAA. Oh you had my data downloaded 500 times without my permission well at $12 a pop you owe me and each of the other 2.6M people $6,000..

put an end to this shit real fast that way.
 
Then the price of the data will go up and guess who else would sell it. Financial industry, credit bureaus? The data exists and is harvested in more ways then you know. And of course when there is value at stake someone will cash in

It would be easy to structure laws that would prevent that.

Something like:

Financial:
- Personal data may only be used to support the account belonging to the user the data described.
- At no point may financial transaction or any other data data be sold or in any other way transacted to any other party.
- Upon closure of the account all data must be deleted.

Credit Bureau:
- Personal data may only be collected for the purpose of generating credit reports used for making decisions on whether or not an individual qualifies for a loan. Any other use is illegal.
- Credit reports may only be provided with the written permission and positive identification of the individual the data describes.
- Data may not be sold or transacted for any other reason.

General Business:
- Personal data may not be maintained for any other purpose than collecting a debt or directly supporting a service the user the3 data describes uses.
- Data may not be monetized, sold, transacted, used for marketing or for any other purpose.
- Once a debt is collected, or user account is closed, data must be permanently deleted.

Medical:
- Data may be collected only for the purpose of providing medical care to the user it describes, and seeking payment/reimbursement of that treatment.
- Insurers must delete data as soon as all accounts for the individual treatment are settled.
- Once a patient switches provider the data must be permanently deleted.

And on and on. These things can be crafted such that legally there are only very limited reasons data may ever be collected, that data may never under any circumstance be monetized, sold or transferred to a third party, that there are requirements around security when data is held in these limited circumstances, and that there are very stiff fines when violated.

I would make sure that any holder of someone elses personal data financially liable for any and all losses resultant from any breaches or loss of said data, without financial or time limits.

The wild west shit going on right now must end.

Personal Data must cease to exist as an industry. I don't care who goes out of business or what it does to the economy.
 
It would be easy to structure laws that would prevent that.

Something like:

Financial:
- Personal data may only be used to support the account belonging to the user the data described.
- At no point may financial transaction or any other data data be sold or in any other way transacted to any other party.
- Upon closure of the account all data must be deleted.

Credit Bureau:
- Personal data may only be collected for the purpose of generating credit reports used for making decisions on whether or not an individual qualifies for a loan. Any other use is illegal.
- Credit reports may only be provided with the written permission and positive identification of the individual the data describes.
- Data may not be sold or transacted for any other reason.

General Business:
- Personal data may not be maintained for any other purpose than collecting a debt or directly supporting a service the user the3 data describes uses.
- Data may not be monetized, sold, transacted, used for marketing or for any other purpose.
- Once a debt is collected, or user account is closed, data must be permanently deleted.

Medical:
- Data may be collected only for the purpose of providing medical care to the user it describes, and seeking payment/reimbursement of that treatment.
- Insurers must delete data as soon as all accounts for the individual treatment are settled.
- Once a patient switches provider the data must be permanently deleted.

And on and on. These things can be crafted such that legally there are only very limited reasons data may ever be collected, that data may never under any circumstance be monetized, sold or transferred to a third party, that there are requirements around security when data is held in these limited circumstances, and that there are very stiff fines when violated.

I would make sure that any holder of someone elses personal data financially liable for any and all losses resultant from any breaches or loss of said data, without financial or time limits.

The wild west shit going on right now must end.

Personal Data must cease to exist as an industry. I don't care who goes out of business or what it does to the economy.


"Oh no someone stole all our data! Shucks!" And although you could prepse laws forcing companies to practice due diligance I feel many of those would be hard to enforce
 
Time for those implants. All my data is on me and can be analyzed with my authorization but cannot be stored. Seriously why is this stuff always online? My vacation photos i feel are harder to get lol.
 
Until there are real consequences to the individuals and/or CEOs, not the amorphous "corporation", that are supposed to be safeguarding any data, this will continue. If you're the guy in charge of data management and a data breach means they cut your hands off, rather than the company gets sued (and only the lawyers win), you'd probably take your job a little more seriously.
 
Boy, some IT guy is screwed. The company does "SaaS-based intelligent process automation management solutions". It looks like the person put all that data somewhere temporarily, before doing a data import (or maybe they were trying to create a demo to sell the insurance company on what they can do for them, and wanted to use live data). Regardless, why any portion of the company's storage should be open and available for public access is going to be a huge issue in their internal meetings. Would be interested to be a fly on the wall there... We have BOX and other similar solutions for transfer and temporary storage of data, so there should be no need to use any public storage solution, especially for something like this. Pretty sure with it being medical records, the company is now in for a world of trouble.
 
Is it safe to assume at this point that pretty much all of our info is out there on the web somewhere unsecured? I'm tired of seeing shit like this and I just think at this point there is no such thing as internet or information security.
 
You can't not have data collection. It's crucial for some fields. Going back to filing cabinets isn't the answer either

I say everyone that wants to collect data needs to have some sort of certification or clearance to do so where standards are maintained and audits performed

They do have security requirements and audits. They are actually pretty major in financial and medical fields. The problem is that even when meeting the basic security requirements, things can still be configured incorrectly, hardware vulnerabilities found, machines compromised from stupid people which leads to server access. And then the consequences are a slap on the wrist and a apology to anyone affected.

The only way to stop a data breach like this is to not have the data accessible by any computer, server, or network that can ever reach the internet, closed LAN only, and if records need to be sent to another facility they would have to be sent via courier on a storage medium. If it was the law that no data can be on any network that touches the internet via any hardware or software connection, regardless of software rule saying "no", then it would greatly reduce the amount of people who do ity, and for those people who do break the law and put data on a place that could be touched by the internet, if it is found during an audit or if there is a data breach then there needs to be major fines and jail time for a breach happening on someone's watch. The fines should be per person involved, should go to that person whose data it was, and should actually be a monetary value relevant in the world, not $14 or less. The IT person in charge of that data should face jail time, as should any of his supervisors or managers above him/her. Making it so the financial burden of a single breach would bankrupt a company is the only way to get companies to take it seriously.
 
Last edited:
Is it safe to assume at this point that pretty much all of our info is out there on the web somewhere unsecured? I'm tired of seeing shit like this and I just think at this point there is no such thing as internet or information security.

Yes. Our information is so far out there it is ridiculous. Your info, my info, everyone's info should be assumed to have been appropriated by one to many bad actors at some point in time up to current.

As a software engineer at a financial institution, i can tell you that your average consumer would be absolutely horrified at some of the practices i have seen and continue to see on a daily basis. Our priorities and concerns as a development team are constantly overridden, misaligned, or vacated by the Product/business side - and it's only getting worse.

Expect more of this junk in the future. Guaranteed.

Edit:
They do have security requirements and audits. They are actually pretty major in financial and medical fields. The problem is that even when meeting the basic security requirements, things can still be configured incorrectly, hardware vulnerabilities found, machines compromised from stupid people which leads to server access. And then the consequences are a slap on the wrist and a apology to anyone affected.
[...]

True. Our auditing and risk controls systems are extremely complicated both on the technical solution side as well as the business process side. As any engineer knows - complexity begets flaws and/or loopholes. Kinda like our tax code. Funny how that works.
 
Last edited:
They do have security requirements and audits. They are actually pretty major in financial and medical fields. The problem is that even when meeting the basic security requirements, things can still be configured incorrectly, hardware vulnerabilities found, machines compromised from stupid people which leads to server access. And then the consequences are a slap on the wrist and a apology to anyone affected.

The only way to stop a data breach like this is to not have the data accessible by any computer, server, or network that can ever reach the internet, closed LAN only, and if records need to be sent to another facility they would have to be sent via courier on a storage medium. If it was the law that no data can be on any network that touches the internet via any hardware or software connection, regardless of software rule saying "no", then it would greatly reduce the amount of people who do ity, and for those people who do break the law and put data on a place that could be touched by the internet, if it is found during an audit or if there is a data breach then there needs to be major fines and jail time for a breach happening on someone's watch. The fines should be per person involved, should go to that person whose data it was, and should actually be a monetary value relevant in the world, not $14 or less. The IT person in charge of that data should face jail time, as should any of his supervisors or managers above him/her. Making it so the financial burden of a single breach would bankrupt a company is the only way to get companies to take it seriously.

Yes to all that

None of it is made public. The process, results and so on are kept internal and thus the public doesn't know whos doing a good job with data protection and who isn't, which is what we're really after here

So I say create a strict spec that companies need to adhere to that is visible to the end user in the form of a green checkbox next to the address bar or whatever it takes to make it clear that xyz.com hasn't been vetted as a trusted data collector. It doesn't need to be government related either. We've done this with certificate authorities, let's now create data protection authorities. Bake it into the protocols even. A technical solution to a technical problem. Should help with keeping Facebook Microsoft Google and do on a little more responsible and also weed out the shitheads that let leaks happen.

Who am I kidding though cause Facebook Microsoft Google etc own the internet and would never do anything responsible
 
I think there are a few critical fields.

Financial industry, credit bureaus, maybe one or two more, but other than that it should be it.

If there are some industries that can't exist without it, then maybe those industries shouldn't exist. I'm fine with the economy taking a financial hit in exchange for retaking our privacy.

My suggestion would be that private data is always the property of the person it describes. They must be informed when it is collected, and they can revoke the access to it at any time.

At no point should it be used to the advantage of anyone but the person who it describes.

Google, Facebook and others can go out of business for all I care. I'm sure they can make enough to survive by reverting to a contextual only ad model that does not rely on data harvesting. Sure it won't be as profitable, but I don't give a rats ass.

Google would be a lot less troublesome if they weren't so rich.
 
and all those paper copies from archives were just sitting by the road waiting to be picked up by recycling lorry.

Shredding services aren't terribly expensive and they'll come right to your business and take your documents away in locked bins. (The place my office used to use charged something like $40 to take away a wheeled bin the size you see in suburban neighborhoods--60 gallons or so.)
 
Reminds me of the time the Clintons connected social security info to the internet, realized by some chance someone was ready with all the right hacks to hoover in all the data and then they pulled the plug. Would have been cheaper if they just made hard drive backups and handed those off to 'the hackers'.
 
What people paid? Could be enough for a massive RICO action because you could prove the intent to defraud.
 
It would be easy to structure laws that would prevent that.



Medical:
- Data may be collected only for the purpose of providing medical care to the user it describes, and seeking payment/reimbursement of that treatment.
- Insurers must delete data as soon as all accounts for the individual treatment are settled.
- Once a patient switches provider the data must be permanently deleted.

And on and on. These things can be crafted such that legally there are only very limited reasons data may ever be collected, that data may never under any circumstance be monetized, sold or transferred to a third party, that there are requirements around security when data is held in these limited circumstances, and that there are very stiff fines when violated.

I would make sure that any holder of someone elses personal data financially liable for any and all losses resultant from any breaches or loss of said data, without financial or time limits.

The wild west shit going on right now must end.

Personal Data must cease to exist as an industry. I don't care who goes out of business or what it does to the economy.

This is something I know a bit about, I'm the guy collecting this data. and using it, and sharing it.

Hospitals have to have access to this information. It has to be available to treat patients.

I have had our Imaging dept. burn a copy of an MRI for a sick kid and delivered it to the helicopter crew as they transported the patient to a waiting neurosurgeon.

I have had to call multiple health systems all over the country and request records on patients to include things like if they have a certain type of pacemaker that may or may not be safe to use in an MRI machine, or if they are allergic to medications we are about to give them.

If you don't maintain and share medical records, people are going to die. you just can't request this stuff from a patient again when you need it.

We need to actually improve sharing abilities between facilities, and improve the security. I still have to get MRI images on a fucking DVD transported by a courier to some hospitals. not all of them have secure sharing of images. Using a FAX machine is an everyday thing still. who the hell still uses fax machines in 2020? your hospital does. slow ass crappy 1960's tech and it's the best we can do for a lot of stuff. On the bright side, you can't hack a Fax I suppose.

We need to develop a nationwide system of anonymized electronic record sharing that doesn't link critical health data to patient identifiers at the time of transmission.
 
Last edited:
This is something I know a bit about, I'm the guy collecting this data. and using it, and sharing it.

Hospitals have to have access to this information. It has to be available to treat patients.

I have had our Imaging dept. burn a copy of an MRI for a sick kid and delivered it to the helicopter crew as they transported the patient to a waiting neurosurgeon.

I have had to call multiple health systems all over the country and request records on patients to include things like if they have a certain type of pacemaker that may or may not be safe to use in an MRI machine, or if they are allergic to medications we are about to give them.

If you don't maintain and share medical records, people are going to die. you just can't request this stuff from a patient again when you need it.

We need to actually improve sharing abilities between facilities, and improve the security. I still have to get MRI images on a fucking DVD transported by a courier to some hospitals. not all of them have secure sharing of images. Using a FAX machine is an everyday thing still. who the hell still uses fax machines in 2020? your hospital does. slow ass crappy 1960's tech and it's the best we can do for a lot of stuff. On the bright side, you can't hack a Fax I suppose.

We need to develop a nationwide system of anonymized electronic record sharing that doesn't link critical health data to patient identifiers at the time of transmission.

Certainly there needs to be a central owner of your medical data (Primary Care Physician maybe?) who can make sure it is available to a haospital that needs it for treatment or something like that.

I am talking about after discharge. There is no reason patients sensitive data should be continuing to be held on to for sometimes years after it is no longer needed to trest the patient.

We need to go through every use of private data making sure that it is used Only where absolutely necessary in order to support the needs of the person it describes, and for absolutely nothing else, and that it is purged as soon as it is no longer needed, as sitting data is always a target.


Since we know it is impossible to design a secure system. Every system can be exploited in one way or another, our best tool to combat data theft is to minimize the data we keep. Have as absolutely little of it as humanly possible in as few places as humanly possible and constantly stay on top of expunging non-working copies of data.

That is the only way. They can't steal what you don't have.
 
Dear God, why would you say that? Now someone's going to try to do it!

Sounds like it would be fairly trivial.

The data stream isn't encrypted, right? Should just be able to splice the analog phone wire somewhere, record the audio signal, and then feed it to a fax and have it print it out.

The difficult part will be to gain sufficient access to tap the line.
 
Last edited:
Certainly there needs to be a central owner of your medical data (Primary Care Physician maybe?) who can make sure it is available to a haospital that needs it for treatment or something like that.

I am talking about after discharge. There is no reason patients sensitive data should be continuing to be held on to for sometimes years after it is no longer needed to trest the patient.

We need to go through every use of private data making sure that it is used Only where absolutely necessary in order to support the needs of the person it describes, and for absolutely nothing else, and that it is purged as soon as it is no longer needed, as sitting data is always a target.


Since we know it is impossible to design a secure system. Every system can be exploited in one way or another, our best tool to combat data theft is to minimize the data we keep. Have as absolutely little of it as humanly possible in as few places as humanly possible and constantly stay on top of expunging non-working copies of data.

That is the only way. They can't steal what you don't have.

It doesn't work that way. You can't magically recreate this data once it's gone, you have to weigh the risks to patient privacy with the need to be able to treat the patient effectively. your health care isn't a one time event, it needs to be on ongoing process that starts at birth and ends at death.

Sometimes you have to know a patients history of treatment, patients are at the best of times, unreliable historians, and things like CT's and MRI's have to be stored digitally, MRI's are rather large files, that clinicians have to compare with a current image to diagnose new problems. Being able to compare a patients history to their current condition is important.

Other fields have similar issues, I don't have a solution, but you just can't expect us to not keep records, it's not feasible.
 
Sounds like it would be fairly trivial.

The data stream isn't encrypted, right? Should just be able to splice the analog phone wire somewhere, record the audio signal, and then feed it to a fax and have it print it out.

The difficult part will be to gain sufficient access to tap the line.

T.38 IP fax protocol is Analog to digital and back, not sure how common it is, but Fax over IP is a thing.

as you say, the hard part is access, if you can get access to the phone/data lines, the actual documents being sent are just as at risk.
 
You want to lock down data and stop this?

Make the companies that loose data liable with a minimum value of 300 dollars per individual private record lost. You loose a history of 100 records for a user? Guess what... you're out 30k. Loose 100 records for 30k users... maaaybe it's best you close up shop and stop doing what you do because you are criminally irresponsible.

Then bring in the insurance companies to cover the liability.

Then THEY in an interest of not paying out enforce some solid methods to protect the data.

Today we have companies that are willing to spend to protect data based on the value of the data in question not being lost. What is the damage? That's how they value the protection of the data hence the data is so easily stolen because the liability to the company is minimal.

Jack up that liability and all of a sudden the cost to protect the data is more easily justified and more robust methods and checks are put in place to stop it.

NO company today is doing EVERYTHING they can to protect our data. It has to be opened up and shared on so many levels and even those that are doing POC audits are having to share data just for the audits!! Even if they ARE secure already!! (a rarity to be sure.)

So I will reiterate. To encourage companies to spend on data protection they need a per data item lost value assigned. And the company that collected the data is the one ultimately responsible for it's stewardship. (Meaning if a Target collected your data but allowed a billing company access to it to process credit card transactions, and that company was hacked and your Data through the third party was stolen from Target, legally Target is the steward and the one at fault.) NOW these companies have a real number to look at to base the risk on. They will do things.. "Do we need Tom's browser history for the last 6 years?" "Do we need his GPS location data for the last 3?" and so on. Once they have paired down the data they NEED, that will be the first part to protecting your data. As has been said in this thread data that isn't present can not be stolen. Next they will say we have xxxx number of data points per user stored on Y systems. They will pair that down, put in PCI compliance type steps and take it further to pair down the exposure of your data on a more real NEED to know basis.

Once that is done they will have some real numbers to correlate to risk. Once the risk value is known then you can count on these companies spending 20% of that value (for large companies) in initiatives to make sure your data remains secure all of the time.

The joke of our data being worth 10 dollars needs to be put WAY into the past.
 
Back
Top