A Huge Trove of Patient Data Leaks, Thanks To Telemarketers' Bad Security

"A trove of records containing personal and health information on close to a million people was exposed after a former developer working at a telemarketing company uploaded a backup of its database to the internet," writes ZDNet. An anonymous reader quotes their report: The data contained personal and health-related information, such as names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, health insurance information, and other data relating to the types of health problems the individuals have regarding the products they need, though many of the records were truncated or incomplete. An examination showed that the database was used to market products to thousands of customers by telemarketers at HealthNow -- no longer a registered business as of 2015. Several records we've seen included customized notes written by staff who were tasked with calling customers, such as when they are home and any other relevant information on the subject.
The database apparently lingered online for years in an AWS instance until it was discovered two weeks ago in search results from Shodan by a Twitter user calling himself Flash Gordon. Databreaches.net, which investigated the breach with ZDNet, believes this as a teachable moment. "Before you give your personal or health insurance information to telemarketers or firms that call to offer you supplies for diabetes or back pain or other conditions, think twice."

some things are harder to avoid :(

I can pretty well avoid IoT devices and all the stupidity that surrounds them... at least for the moment, until they take over the marketplace entirely. And in the example from TFS, you can avoid it by not dealing with the telemarkters.

But health care in general, wow, that's a different kind of thing. There have been leaks from primary health care databases, sometimes impacting up to 70 million people at once such as with the Anthem leak. That's just one example of many.

There are kinds of health care you cannot avoid, so you are given no choice but to have your personal and health info entered into systems that are insecure. They have been proven time and time again to be insecure, so it isn't a theoretical risk. It has happened and will happen again. So now you're exposed to identity theft, insure fraud, and more.

In the past there was not a single centralized database to attack. You might steal some paper records from a clinic and get 100 people's data. Now you attack a database on the internet and get 100 million people's data. Centralization increases risk and vulnerability, just like lack of biological diversity does for diseases among populations.

Something is seeming awfully broken about what we're doing, and I can't vote with my dollars against it, because then I don't get health care.

Sigh.

[ledow]

No.

Before you live in a country where you can telemarket medical products to people at all, and don't have proper data protection legislation, think twice.

Data Brokers are the problem

[knorthern+knight]

This is part of a bigger problem. See http://money.cnn.com/2013/12/1... It's possible to *BUY* lists of rape victims, HIV sufferers, police officers, etc, etc. This data shouldn't be available in the first place.

The problem is that this data is sometimes used to determine whether you get a loand or a job, etc, etc. It's bad enough that you can be denied a loan or a job for something irrelavant. What's horrifying is that these lists often have major errors http://money.cnn.com/2013/09/0... which may play a part in denying you loans or jobs.

Wrong.

[sootman]

"Databreaches.net, which investigated the breach with ZDNet, believes this as a teachable moment. "Before you give your personal or health insurance information to telemarketers or firms that call to offer you supplies for diabetes or back pain or other conditions, think twice."

I have a simpler takeaway: nobody should ever buy anything from any telemarketer, ever. I can't wait until we, as a society, treat "buying from a telemarketer" as a universally-recognized obviously bad decision, right up there with "chewing some gum you found stuck under a table." Seriously -- fuck them and all their ilk. They are parasites, but nobody ever is going to have the balls to just ban them, so the next best thing is if it just becomes simply impossible to make any money in that business.

AT BEST, they are selling some shit you probably don't need, AT WORST -- and, in fact, IN GENERAL -- they are selling products that are of dubious value, if not outright scams. God knows there's enough advertising in the world, so it's basically impossible for there to be a product you haven't heard of. In the off chance that they're selling something you need, you can get it elsewhere. I don't know of a single product that telemarketers have a monopoly on.

I have a simple phone rule: I don't answer unrecognized numbers. If an unrecognized number is a legit call, they can leave a message. If they don't, I don't need them. Period. All that's left to do is delete the occasional "THIS IS AN IMPORTANT MESSAGE FROM INTERNAL REVENUE SERVICE" scam robocall.