Insurance providers, hospitals, and other healthcare facilities are in possession of more information about you than your spouse likely knows.
Your ID, your address, your medical records, all of them accessible at the tap of a keyboard. In theory, and indeed, by law, these entities are required to keep all of this under lock and key. Your privacy is more than necessary, it’s the standard of living in this crime-ridden digital age.
But this process fails when those standards do.
Healthcare titan Blue Shield of California(BSC) has released a statement that brings to realization a horrible fact. The way they have lost you sensitive data isn’t in some accidental breach. They did not forget your information in the printer tray, not even whoopsies emailed the wrong person.
They have actively shared the health data of nearly 5 million patients to a Google advertisement program. And they did it for years.
HOW??
BSC has confessed to being linked up with Google Analytics attempting to observe how users surfed their website. See what pages they went to, maybe a little tracking of browser history. What devices you use when scheduling that Dr’s visit. Etc.
To be fair, this is something almost every website is guilty of. All businesses do make some effort to know more about their customer base. That part isn’t the issue.
Where it went wrong, was that BSC was attempting to use Google’s custom ad function. Make the website ads hit people where they live. Show you what they already know you want to see.
They know this based upon various factors, but typically those factors are public, or at least not legally restricted. But when BSC went to set up this process, they *accidentally* were sharing PHI, Protected Health Information, with Google.
This PHI would be things that you have written on an insurance form. Your full name, Zip code, age, gender, online account numbers, what insurance you have. Your group number, family information, Dr’s name, maybe some medical claim information. Basically, pretty much a gold mine for anybody looking to find private information they could use for Identity theft. Sign “you” up with 15 credit cards, bank loan, car loan, payday loan. Or just good old fashioned, using your health insurance policy for their medical needs and leaving you holding the bag.
“Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone,” the company commented on its website.
Not The First Time
The surprising thing, or you could say, the shockingly obvious thing, is that this is not anything new. In only the last couple of years, the Department of Health and Human Services (DHHS) has instituted investigation on nearly 1,000 companies for having data leaks.
This investigation, conducted by the Office for Civil Rights, operates under the HITECH act, or the Health Information Technology for Economic and Clinical Health act, requires breaches to be looked into for impropriety. It also states that those private citizens affected, or reasonably may have been affected, must be notified. Notifications, however, are typically a lot slower to come by, than data is being spread.
This type of breach is becoming all too common in the current technological market. Other companies, like GoodRx, BetterHelp, and Kaiser Permanente have all been hit with backlash for doing this exact same thing. Sharing PHI to advertisers doesn’t seem to have a harsh enough punishment. The regulatory and legal ramifications aren’t stopping any of these companies.
While some breaches have been met with lawsuits, the settlements have typically been a few million at most. Despite the potential Billions in losses, and the potential tens of millions the healthcare industry stands to gain? It’s clear to see who loses in this scenario, and it isn’t Blue Cross or Google.
Best Way To Prevent Disaster
Firstly, the main problem is one of identification. Where are you most vulnerable? Who can you trust? Why do we even bother getting out of bed in the morning? Scratch that last one, that’s probably just a me thing.
-
Keep the Extras to a Minimum.
When looking around online, or filling out paper forms, try not to go overboard on the details. Only give what’s necessary for them to move forward.
-
Keep Privacy as Your First Priority
Double check that your web browser has a privacy mode, and if it does, that you are using it when giving out info. You want to check the settings to ensure blocking third-party tracking is active.
-
Deactivate Personal Ads
Visit your own Google settings page, and turn off Ad Personalization. This will remove the function of ads trying to get your personal data to customize. It won’t stop all tracking, advertising, or even the sites you visit trying to read whatever meta-data they can from you. But it’s 1 door you can close, and that’s a start.
-
Turn off Cookies and Website Tracking
Also, when you visit websites, and they ask about allowing cookies, always always ALWAYS hit deny all. The website doesn’t need your permission to work. It will run no matter what you say, but what it wants is your say so to track you. To read your internet actions, and to throw a beacon on your browser. That beacon tells other websites where you’ve been, and how to present their ads to you. You don’t have to fall for it.
-
Certainly Watch Your Accounts
Any strange charges on your bank account? Any weird insurance forms altogether? However minor they may seem, that should be your warning about your information being used by someone other than yourself. Better to know sooner than later.
-
Demand Info
Lastly, the best thing you can do is to speak up. Significantly more information is out there than we can even imagine. Call your insurance company and ask the question. What tracking tools, advertisement programs, or third-party companies do they use? Does your Doctor’s office bill you themselves, or use a third party biller? How about the hospital, we’ve all seen commercials on TV for them. Do they use a marketing team that gathers information about patients during the process to put together ads?
Above all, nothing will change without those making mistakes being put on notice. Push for the truth, and maybe we’ll find it. The companies making money off of your data are surely going to be coming back to the light. As soon as pigs fly.
