Wednesday, May 3, 2023

Privacy and the Sneaky Ways Companies Try to Compromise You


I recently had an appointment with a local medical specialty group as a patient.  Part of the patient intake process was, of course, gathering my demographic information.  This is why medical records are so valuable.  We have so much personal info in our medical records, that identity theft is easy for criminals that have access to that data.  Things like name, address, SSN, date of birth... all of that info is in there.

Now, just to set things straight here... I have NO problem with providing that info as long as I can be assured that all reasonable precautions are being made to safeguard that data.

The "sneaky" part in the title of this post has little to do with the office I visited... it's what happened when I got home.  Shortly after my appointment, I received an email (the office had collected this as part of my intake process).  The email subject said "XXXXX office invites. you to join FollowMyHealth".  The first line of the email said 

"Congratulations on joining the new generation of patients who are taking a proactive role in managing their health care with FollowMyHealth."

This was followed by instructions on how to setup an account and login.  There were several steps to do this and one of those steps was:

Accept the agreement to share your email/username. This is solely for the purpose of authenticating your online health record account. Your email will never be shared or sold."

Enter your Invitation Code. This is the last four digits of your social security number or year of birth, if the office does not have your SSN. Click “Agree” to the release of information. 

At this point all of my alarm bells began to go off.  How many times have we been told that our data will NOT be sold, only to find out later, our data was sold.  This was especially alarming since this was my medical records.  The most alarming part (

The company email lists a ton of benefits and emphasizes the convenience I'll gain by  signing up and agreeing to their TOS... but I wasn't buying into it.  Instead I did a little research and one of the first things I found was a link to an article on that basically confirmed my fears of what was doing with my data.

I highly recommend you read the linked article.  Basically this company sent me an email soliciting me to participate.  However, they disguised that in a way that made me think it was an email from my doctors' office and my doctors were encouraging me to join.  It was worded in a way that made it seem like it was almost a requirement.  That's not only sneaky, that's unethical... and it could potentially be illegal as well.  

Needless to say, I won't be signing up or agreeing to their Terms of Service.  This is a typical high tech bait and switch operation where they want you, the unsuspecting patient and/or consumer, to agree to everything because it appears to come fr. Mom your doctor's office.  They also try to hide their true purpose behind the disguise of convenience.  They even go so far as to say:

"you will then be ready to access and manage your personal health record in a secure online environment 24 hours a day / 7 days a week, from any computer, smartphone or tablet!"

What they fail to mention is the fact that they will take that data and use it to market to you.  I don't like that.  My grandfather once told me, "if you are acting like you've got something to hide, chances are that you've got something to hide."  My grandfather was a pretty smart guy...

Once they've got your data, they've got your data.  Good luck on getting it back or getting it removed.

1 comment:

  1. A few months ago I found one of these companies. They got full access to all current and historical x-rays at one particular client. It was done under the guise of "we use AI to help our doctors diagnose dental caries".

    Of course it was like any other IT project with this client: "Hey, you're going to get a call from XYZ Company. Let them in to all our servers so they can install their software." Queue up someone from a foreign country who barely speaks English and doesn't have the smallest grasp on IT connecting in to all the servers, installing the software, and restarting things in the middle of a production day.

    Fast forward 4 months and a new group is running the show. I casually ask "Do we have any payment records or contracts with "XYZ Company"? "No".

    Let me get this straight. We aren't paying a cent to XYZ Company, we have no contract with XYZ Company, and there's no HIPAA BAA signed with XYZ Company...and according to my records, they've transferred approximately 4.8 *terrabytes* of patient images along with entire copies of our patient database to servers that are outside of the United States? Oh, and every doctor on staff says they hate the software, and don't need AI to diagnose their patients.

    Needless to say, the new administration wasn't happy, I got to uninstall the garbage software, and now all sorts of lawsuits are flying around.

    But like you said, you can't put the genie back in the bottle. That patient data is out there.

    Hopefully those 3rd-world servers have better protections than the client. All our security was useless against the power of a CEO saying "I don't care, this is going to make us a lot of money".