[Dataloss] Is it just about credit? (question 1 / health care)

Adam Shostack adam at homeport.org
Mon Apr 30 15:15:00 UTC 2007 

On Sun, Apr 29, 2007 at 06:51:24PM -0400, Rodney Wise wrote:
| I guess the basic question is:
|  
| As people who are aware of data breeches how can we alert others that is is NOT
| just about credit.

We used to use words like 'privacy' or 'data protection.'  To
Jericho's point, I'd argue that the problem is central medical
databases, and upgrading the trusted third parties to control what
goes in them is just poor thinking.

Adam


|  
| On 4/29/07, security curmudgeon <jericho at attrition.org> wrote:
| 
| 
|     : Question 1
|     : Is is just about your credit?
|     :
|     : If someone gets you SSN or SIN (Canida) they can do a lot more than get
|     : cash. If they get medical treatment for ... I don't know ... a heart
|     : problem of even... HIV do you think you will ever get insurance again?
| 
|     Hopefully someone in the health care industry can speak up on this but a
|     few points.
| 
|     Many (most? all?) hospitals require photo ID for everything now. While we
|     know that a bad guy can do a full identity theft, including getting a new
|     license or birth certificate, it does require a dedicated person. They ask
|     for the photo ID with insurance card, which you'd also have to get issued.
|     Some hospitals actually train their staff (a full class) on handling photo
|     ID, recognizing aspects that would be suspicious (birth date, etc) and how
|     to respond. This has lead to some cases where the person using a stolen
|     identity recived medical treatment, walked out of the hospital all better,
|     only to be arrested immediately as the hospital staff watched (they knew
|     what was going on but wouldn't deny treatment of course).
| 
|     Some hospitals use computer systems that have routines specifically
|     designed to flag possible identity theft. Various incidents (most related
|     to billing I assume) will flag a record with a potential identity theft
|     marker which is visible to any hospital employee who loads the record.
|     Employees are trained to act normal and provide treatment but call a
|     special security number (internal to the hospital) and trained security
|     staff respond.
| 
|     This leads one to wonder if the DMV when re-issuing a license might notice
|     discrepancies. Eye color goes from blue to brown, hair color, height,
|     weight .. how many changes before someone says "wait"?
| 
|     _______________________________________________
|     Dataloss Mailing List (dataloss at attrition.org)
|     http://attrition.org/dataloss
|     Tracking more than 207 million compromised records in 634 incidents over 7
|     years.
| 
| 
| 
| 
| --
| Rodney Wise
| http://pplriwse.blogspot.com

| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| Tracking more than 207 million compromised records in 634 incidents over 7 years.

More information about the Dataloss mailing list