Slashdot Mirror
Hacking the US Prescription System
An anonymous reader writes: It appears that most pharmacies in the US are interconnected, and a breach in one leads to access to the other ones. A security advisory released [Friday] shows how a vulnerability in an online pharmacy granted access to prescription history for any US person with just their name and date of birth.
From the description linked above: During the signup process, PillPack.com prompts users for their
identifying information. In the end of the signup rocess, the user is
shown a list of their existing prescriptions in all other pharmacies
in order to make the process of transferring them to PillPack.com easier.
... To replicate this issue, an attacker would be directed to the
PillPack.com website and choose the signup option. As long as the full
name and the date of birth entered during signup match the target, the
attacker will gain access to the target's full prescription history.
> I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies.
This. Pretty much every prescription the doctor writes effectively goes straight to the drug reps. If you stop prescribing, they'll know, and come in and bribe^H^H^H^Hinquire as to why you stopped prescribing their drug.
Your hair look like poop, Bob! - Wanker.
They know about my meds because I pretty much have to tell someone to get the prescription filled.
They know my email address since the same people I go to to get the prescription filled have my email address so they can send me reminders that my refills are due.
So, the pharmacy has my prescription history going way back (what, you think I change pharmacies every time I get a new prescription) and my email address. And I still have never gotten any spam advertising drugs.
Note that drug advertising to me wouldn't actually do any good, since I'm not an MD, and am incapable of prescribing drugs to myself (or anyone else). That sort of thing is best aimed at doctors and hypochondriacs (the kind who will nag their doctors about the new drugs they see on TV that sound like they'd be PERFECT for their problems)....
"I do not agree with what you say, but I will defend to the death your right to say it"
I'll allow that I may be wrong. I don't know; it's never happened before so I don't know what it feels like :P
I note in the excellent link you provided under the section of data mining it says
Data miners buy prescription information from pharmacies and PBMs.
Apparently, data identifying a specific person is removed "sufficient to remove the data from the protection of the CMIA and HIPAA", and the records are assigned a number.
Further,
Prescription data miners have the ability to re-identify individual data based on the number assigned to it, and they operate separately from the entities - health care providers, health plans, health care clearinghouses, and their contractors or business associates - that do have legal obligations.
I don't think it too far-fetched to think this happening, particularly since I started seeing a lot of targeted ads for asthma medications not long after coming down with respiratory difficulties last year. Somebody's doing something shady, I'll bet.
Your pharmacist has sold your prescription data to some shady third party for advertising purposes. Somehow they managed to loophole that out of HIPAA - it's a 'service' for your own good - or something along those hallucinatory lines.
Supposedly you can opt out but you first have to know if you got opted in.
I'm actually surprised that this hasn't generated much flack, but there are so many things to get angsted at I think that most people are just overwhelmed. Personally, I ran out of extra angst a long time ago.
Faster! Faster! Faster would be better!