cross-posted from: https://links.hackliberty.org/post/1028406
The state of medical privacy has become quite appalling lately. I started using a young doctor in a new office and they are gung ho on modern tech. That’s fine to some extent but they want to send me invoices and all correspondence via e-mail. No PGP of course. I did an MX lookup on their vanity email address & it resolves to an MS Outlook server.
I asked them for my test results. They offered to email them.
My response: I do not want sensitive medical info coming by e-mail via Microsoft’s servers. I did not give you a copy of my email address for that reason. It needs to be snail-mailed to me.
Perhaps of greater concern is that the receptionist acted like I am making a unusual request, and that they do not mail things. Apparently I am the only patient who has a problem with sensitive medical info going to Microsoft. So the receptionist is investigating whether she can get approval to mail me my results by post.
I wonder if someone in that clinic will have to run out and buy stamps because I have a problem with Microsoft.
I work in healthcare. If you think that is appalling, you should see the other things people don’t care about.
But I do agree a lot of people don’t recognize the security vulnerabilities I go on.
Do what you Gotta do to keep your information private
Do what you Gotta do to keep your information private
Indeed but to be clear, there are two motivations for my insistance that the doc buy a stamp and use the post:
-
keeping my data out of MS hands to mitigate them exploiting me directly, by e.g. selling the medical data to insurance companies.
-
Forcing the doc’s office to go through some burden and expense for poorly choosing their email service provider (a controversial one).
-
The medical industry has very bad security practices in general from what I hear. You can basically expect that your medical history is accessible to lots of companies that should have nothing to do with it, not just Microsoft. Pretty much all of your health data is probably in the hands of at the very least Google and Amazon and the sad reality is that people don’t care about security and privacy until it’s too late. The number one server provider for anything healthcare related is AWS and the legal requirements they have to follow for data protection, HIPAA, are the sort of requirements that only a politician would think are actually beneficial to keeping data secure.
EDIT: to be clear, I hate it, and I think you made the right choice, but sadly expecting privacy of our medical information is gonna keep being a battle, until the medical industry starts taking it more seriously
Indeed. We need more activism. More patients refusing to disclose their email addresses and insisting on paper correspondence. This pressures clinics and hospitals looking to save money to ask why email is rejected, and from there have some incentive to fix it. That incentive won’t exist if everyone is a pushover. IMO we ideally need ~15% or so people to practice this way of activism. But note as well just one activist can make a dent… an office having to do things differently from their normal workflow for just one person does not go unnoticed.
BTW, refusal to disclose an email address to gmail and outlook users is my general mode of operation – not just with medicine. Public services and utility companies are also forced to reach me via snail mail (because either their website blocks Tor, or their email is MS/Google).
definitely agree with you.
also PGP is so easy to use that honestly I really cannot grasp why it’s not more used for critical communication like this. if the emails were encrypted this would be much less of a problem