
Ask HN: How bad is this survey's security? - stevedt
I am a participant in a longitudinal study.<p>Periodically I am asked to answer questions in an online survey that:<p><pre><code>  - verifies my info (address, phone, email)
  - verifies my contacts (name, address, phone, email)
  - asks about recent doctor visits, prescriptions, hospitalizations, etc.
</code></pre>
The login credentials are:<p><pre><code>  - login=email
  - password=date of birth
</code></pre>
But it gets worse: you can login to a partially completed survey and information previously entered has been saved.<p>I know this is terrible from a vanilla compsec standpoint; but isn&#x27;t this information covered by HIPAA?  What can I tell this organization to get them to understand the severity of this?
======
PerfectElement
If they are a Covered Entity or a Business Associate then they should
definitely comply with HIPAA[1].

Even though I don't remember if the Security Rule specifically covers this
stupid scenario, I think they would be found in violation if audited. They
clearly have not performed a risk analysis, which by itself is a violation.

[1][https://privacyruleandresearch.nih.gov/pr_06.asp](https://privacyruleandresearch.nih.gov/pr_06.asp)

