US health insurance giant Blue Shield of California handed sensitive health information belonging to as many as 4.7 million members to Google's advertising empire, likely without these individuals' knowledge or consent.
The data shared may have included medical claim dates and providers used, which raises the specter of Google targeting ads based on the fact that you booked an appointment with a certain type of doctor - say, a cancer specialist, fertility clinic, or psychiatrist.
Other info potentially shared with Google ranged from patient names, insurance plan details, city of residence and zip code, gender, family size, and Blue Shield-assigned account identifiers, to financial responsibility info, and search queries and results for the "Find a Doctor" tool — including location, plan type, and provider details.
Other than that, Mrs. Lincoln - how did you like the play?
Blue Shield declined to answer The Register's questions, including how it discovered this years-long data leak, and what other third-party trackers (if any) are on its websites.
...
"This isn't just a technical misstep. It's a HIPAA compliance failure," Ensar Seker, CISO at threat intel firm SOCRadar, told The Register, referring to America's Health Insurance Portability and Accountability Act that safeguards medical data.
Bingo is his name-o. Just to emphasize that: this wasn't just a "data breach", it was a criminal violation of US law.
5 comments:
G**gle is evil, pure evil.
And just like that I started getting Pharmaceutical ads and emails for my various ailments.
It's illegal, but it will be called a glitch, and nobody will be prosecuted. Of course there will be a half-hearted, expensive investigation and the in-laws of those investigating will have a few years of an exorbitant salary.
Every single time I have been the victim of data compromise, it has been the result of some corporate server taking a dump. This includes health insurance and multiple credit card issues. It has never been anything I did but we still have to do password security theater.
There's nothing about this that couldn't be cured by a civil fine in the 10- to 11-digit range, and criminal arrests of a few top officers of the company, including prosecution for deliberately conspiring to violate HIPPA laws.
4.7 million members, times 5-10 years each, apportioned to their executive board members and senior staff, should suffice nicely.
100 top Google executives getting sentenced to 470,000 years in federal prison each would be a salutary exercise in justice.
HHS Sec. RFK Jr. should refer the matter to the U.S. Attorneys in DC and Google's HQ location post haste.
Apparently, Pam Bondi is struggling to find anyone to prosecute, and could use the help.
Post a Comment