Hacker News new | ask | show | jobs
by devereaux 2578 days ago
Name + ICD diagnosis, what a wonderful leak for blackmailers wordwide! (/s)

Seriously, these two pieces of data that are innocent alone, when taken separately (HIV, chlamydia, cancer...) should NEVER have been linked together, ESPECIALLY when given to a third party, EVEN MORE stored together.

I pray it will result in many lawsuits with hefty punitive damages, and that as a consequence private data will be considered a liability to be deleted as early as possible (just like corporate email in many companies)
3 comments
tedmiston 2578 days ago
Good catch. Reading between the lines I took this to mean that lab information was not leaked:

> The system contained sensitive data, including credit card numbers, bank account information, medical information and Social Security numbers, Quest said. Lab results were not provided to AMCA and were not exposed in the breach. AMCA thinks 11.9 million Quest patients were affected as of May 31, 2019, Quest said.

But it only says lab results were not leaked with the extremely generic label of medical information as being leaked. I wonder if "medical information" includes lab codes or what exactly it consists of?

link
devereaux 2578 days ago
Medical information is likely to be ICD codes for the active diagnosis, and antecedents (history) for this patient.

This is worse than full text medical information because everything is already coded, so you can make some simple algorithms to find crunchy details with a very high specificity.

link
tejtm 2578 days ago
Billing amounts will correlate with tests administered, so even without lab results a ton could be inferred from a sequence of billing amounts even _without_ ICD codes. Including the codes removes ambiguity.
link
erentz 2578 days ago
Insurance won't cover tests without the "allowed" ICD codes for it. It's silly and just another part of the bureaucracy making things inefficient.
link
devereaux 2578 days ago
(see my comment suggesting disposable keys, like for crypto wallets: https://news.ycombinator.com/item?id=20088758 )

If the "allowed" ICD code is linked to the public key, or in the worst case if the patient provides the disposable private key to the insurance for verification (along with PCI like rules forbidding this key to be stored, like credit card expiration date if I remember correctly) this couldn't happen.

It is gross negligence to keep these things together for longer than they need to be. Private data should be seen as a liability.

link