Hacker News new | past | comments | ask | show | jobs | submit login
2.7M medical calls breached in Sweden (mobile.twitter.com)
185 points by skekaeeeww 29 days ago | hide | past | web | favorite | 109 comments



On my machine Google translate seems to "boot-loop" that site because of the cookie settings so I'll just do this:

Files were stored on a server using HTTPS but requiring no credentials. http://188.92.248.19:443/medicall/ Part of the calls were saved as .mp3s with the customers phone number as file name. CEO when confronted wouldn't believe it and hung up when the reporter asked if he could play one of the tapes.

The articles states that the server was a NAS (nas.applion.se).

All files have been available since 2013.

When calling 1177, there's no need to identify yourself with your personal identity number. You can if you want to if your medical history is of significance to your call.

Source: Am swede and this article... https://computersweden.idg.se/2.2683/1.714787/inspelade-samt...

And I want you guys to hear it from me before you hear it on the streets... I once called 1177 wanting to order a new pair of knees because one of mine hurt. The nurse who answered had a good laugh.


The breach is still ongoing, according to statements on the dark web, 30 minutes ago (21:10 CET).

"Tror ni inkompetensen är över? Nej. Man har inte dragit ut sladden. Kör wireshark och skicka skräppacket så ser ni att det enda som filtreras är syn-ack från servern.Slumpade seq-nr i respons bara någon timme och upprättade till slut en anslutning. Vad tror ni jag ser? Färska samtal från bara några sekunder sen i mappen /2019/."

Translates to: Do you think incompetence is over? No. They have not pulled out the cable. Run wireshark and send junk packets and you will see that the only thing that is filtered is syn-ack from the server. Sent random seq-no in response for an hour and finally made a connection. What do you think I see? Fresh calls from just a few seconds ago in the folder / 2019 /.


How can you make a connection by guessing seq nr ? What is the firewall rule that allow such an attack ?


My guess is that there were still some hosts allowed through the block (e.g. whatever is writing to that NAS), and that they were accessing the NAS with frequent new connections. The firewall only tracked transport layer state so the bad guy was able to hijack an existing session by sneaking in a correctly-numbered TCP segment inside an IP packet with his own IP address as the source.


Regardless if it is true, I unfortunately think Computer Sweden have been a bit naive here. They shouldn't be publish this specific information ~3 hours after the server was "locked down" (as they state in the article). This isn't a company like e.g. Google were correcting a mistake leaves them at "good security".


The "funny" thing is, it wasnt using HTTPS, it was on the 443 port. But the data was sent unencrypted.


Still, sending the data unencrypted wasn't so much the issue here as the server was open to anyone.


Yes, although the transmission being in plaintext makes it even more vulnerable, because if you get to listen to the network where the call center nurses operate, no one needs to crack anything to find out the location of data, its structure and anything else you need to exploit it.


So your reasoning goes that if I leave the front door to my home open, it would still be more secure if it had steel bars on the windows?


No, it's more like that if I leave the front door open, it would still be more secure if the driveway was lighted up so that any inappropriate visitors would be visible.

[Analogies may be terrible, but lack of encryption is an additional factor making attacks even easier, particularly for the purpose of discovering the attack vectors.]


I'll give you the benefit of a doubt that you are arguing the general case, but I'm talking about this case specifically. If all you need to do to access the data is to just browse to a specific address, it matters not whether you need to put http or https in front of that address. No need to set up any eavesdropping devices en route. Just point your browser to the address and download the data. Transport security will not protect your data if you have no access control.


I think his point is that if you are in a Starbucks and you figure out what's on the server, all the other people with hoodies in the Starbucks now know as well.


These calls were answered by Swedish-speaking people in Thailand.

Their business idea was to handle calls that were placed in inconvenient hours, relative to Swedish business hours.

My best guess is that the Thai ISP this office used filtered all outgoing connections except port 80 and 443.

And then someone decided that the way to implement this securely while still allowing this office to access the data was to put a plain HTTP server on port 443. "Who is ever going to crack that?"


I would guess the server is run by the voip provider in Stockholm, which literally seems to be 1-3 contractors. Reading between the lines of the few articles published about the call center it seems like their business idea is to hire old nurses and not pay them very much.

https://www.voiceintegrate.com/se/support/vi-som-jobbar-h%C3...


Not HTTPS. Plain unencrypted HTTP on port 443.

No authentication for clients either.


why would you need a pair of only one hurts?


I suppose it works like the tyres on a car. When you change out the front left you also change the front right.


It's planned obsolescence. Soon the other one will fail too.


There are quite a few hosts responding on port 80 in the 188.92.248.0/21 subnet, including versions of httpd and php over a decade old. I wouldn't be surprised if there are more things unsecured. Yikes.


Not a good idea to show the ip addr in the screenshot.


Let's talk legal ramifications.

The cause of technical breaches falls onto a sliding scale in my mind. That scale goes from pure technical negligence to overbearing technical complexity.

This breach seems like pure negligence. In a surgery this wouldn't be "complications", it would be malpractice. Does GDPR protect those breached here? What recourse do these people have?

We really need to change the narrative around data. It should be a liability. Unlike other disruptions software drives, this will need to be driven by governments.


Sure!

Breach against patientdatalagen and GDPR

Shall be encrypted so that the patients identity are protected.

"Uppgifter om en patients identitet som har dokumenterats inom hälso- och sjukvården och som landstingen ska sambearbeta med sådana uppgifter som avses i första stycket, ska vara krypterade så att patientens identitet skyddas vid behandlingen. Lag (2013:1024)." "Information about a patient's identity that has been documented in the health and medical care and which the county councils are to co-operate with the information referred to in the first paragraph, shall be encrypted so that the patient's identity is protected during the treatment. Swedish law (2013: 1024)"

Transfer of personal data outside EU Tredjelandsöverföring. "Transfers of personal data to third countries or international organisations" Thailand is not on the list of authorized countries. https://gdpr-info.eu/chapter-5/

The GDPR section about sensitive data records * medical records.

Den personuppgiftsansvarige ska genomföra lämpliga tekniska och organisatoriska åtgärder för att, i standardfallet, säkerställa att endast personuppgifter som är nödvändiga för varje specifikt ändamål med behandlingen behandlas. Den skyldigheten gäller mängden insamlade personuppgifter, behandlingens omfattning, tiden för deras lagring och deras tillgänglighet. Framför allt ska dessa åtgärder säkerställa att personuppgifter i standardfallet inte utan den enskildes medverkan görs tillgängliga för ett obegränsat antal fysiska personer.

Further persons working at tillsyndsmyndigheter may have done "Tjänstefel", that is fault committed by a public sector official servant that is not minor. 20 kap. Om tjänstefel m. m. "Section 1 Anyone who intentionally or negligently neglects the exercise of authority by action or omission shall be sentenced for misconduct for fines or imprisonment for a maximum of two years. If the act, having regard to the perpetrator's powers or the task's relation to the exercise of authority in other respects or to other circumstances, is to be regarded as poor, shall not be held liable."

Failure to run a network security scanner, failure to encrypt sensitive data records, failure to use passwords, failure to limit access to sensitive records


Either me, my girlfriend or both of us are in those phone calls.

I feel absolutely betrayed by the state. I always knew that Sweden's obsession with medical data collection would back-fire but audio recordings? That's just too much.

I hope everyone involved gets sued into oblivion!


Stockholms landsting. The landsting are absolutely disgusting when it comes to handing out important tasks to private companys.

I have _REALLY_ serious info in there, and so do members of my family, that can not get out. But it's effing public, and the CEO of the company responsible is handling it like an asshole and Stockholms Landsting will just add it to the pile of fuckups.

It would literally take less than a minute for a red team with IP adresses to find this out, if they ever so much as cared to consider IT-security. Why doesn't the local government force subject the companies they hand contracts to to that?


This is a far more general problem of states in general. They always see themselves above the rules they apply to others and this is particularly problematic in the medical realm, but also affects criminal justice for example.

Governments just don't follow their own rules. This means that medical files just aren't trustworthy anymore, in the sense that the patient has no control over who sees these and how far they are sent.

I could say "this is a problem in the Netherlands, Belgium, UK and US" where I know the situation is that essentially any doctor or medical staff anywhere can see everything in your file, related or not (e.g. in Belgium a pharmacist getting a woman's birth control prescription can see if they were ever treated in psychiatric care. Hell, the way the system looks, it'd literally be hard for the pharmacist not to notice). These files can even be used against you in a court of law, for example by child services.

Not that all these countries aren't very busy introducing new ways to have the state do whatever they want to do without judicial intervention (Belgium "GAS boetes" and "snelrecht", Netherlands "ZSM"), and just not care how much damage is caused to save a few bucks.

So what are you to do as a patient ? You cannot have this file destroyed, because these people have exceptions to every known privacy law. You can usually in theory have it corrected, but the system these governments put in place is fragmented into hundreds of pieces and nobody knows how it works, so good luck. Additionally actually getting them to cooperate even using an order from a judge is near impossible, and the systems may literally not support corrections in some cases.

At this point the only advice you can give is to please ask every doctor you ask to not make any notes or files on you at all, and just deal with that. "I travel a lot and this just causes trouble" is a useful phrase in that regard.


> At this point the only advice you can give is to please ask every doctor you ask to not make any notes or files on you at all, and just deal with that.

Not an option if you have an illness. Also, that excuse wouldn't work in Scandinavia. But journals are kept in-house and I trust that way more than the affected service. If the journaling system breaks so does our banking and national ID-services.

Also, this is a phone in service for what you are supposed to do, the step below going to the ER. Not mcuh you can do because you call them because you need their help. It's not an option not to. It unloads some calls and redirects the others to 911/the ER.


I don’t see this as a problem of ”not following rules” and for “government” as a concept to eat the blame.

This stuff, along with many other things have been outsourced in Sweden to private contractors.

In the end, government is made up of people, and these guys outsourcing and selling off everything are just the ones that would blame the governement.

It’s facinating, and a self fulfilling prophecy!

“Look the government can’t do s*it, they should not be doing things at all. Let’s outsource some more.”

The next contractor hits the wall.

“Look, government can’t handle it. Let’s outsource”.

That is at least how I’ve seen play out here in Stockholm.

I’m hoping we can take the schools back at least... because outsourcing teaching has been a disaster imo.


Outsourced is another word for "hiring external people to do this stuff in my service"

The government is still the employer, the person doing the changes and responsible.

And yes, the solution is mostly NOT DOING THIS AT ALL. Or at least, doing significantly less.


> At this point the only advice you can give is to please ask every doctor you ask to not make any notes or files on you at all, and just deal with that. "I travel a lot and this just causes trouble" is a useful phrase in that regard.

Does this work? From what I hear, beyond the obvious benefits of enabling continued care, notes have an extra important purpose: it helps doctors to protect themselves against bullshit lawsuits.

An medical student in my family told me a story once, about a doctor who told a patient to get some tests. The patient ignored the advice, and found themselves dead couple of years later, from illness that would be detected early on those tests. The patient's husband came to doctor's office, seeking to sue her for negligence, and what saved her was that she had notes from those years ago, that clearly stated she did in fact order the patient to get the relevant tests done.


Plug: this is what we're trying to solve (amongst other things) at Patients Know Best. Giving the control back to the patient (you should always have full access to all data about yourself, and be able to control sharing of these records). We're mostly present in the UK at the moment.


The question is who stores the data. If you manage to let the patients keep it locally or in physical media it's insane. If you are keeping it for them it's the same worries as any other service.

This was not journals though, but calls to nurses.


We store data for you in a way that's considerably more secure and paranoid than how other providers work -- quite similarly to CryptDB. We can access your data when serving it to you, but your medical data is never stored on disk with a key that we store (it's derived from your password, and we throw it away after serving you through HTTP).


More would be solved with simply the ability to, on a simple request and without justification, delete all data associated with yourself. Including all shared copies.


You don't outsource, or 'privatize', because you want responsibility. In the pitch for the company in question they are stating how Stockholm has the lowest cost of all counties for this service [0]. Apparently that means outsourcing to a call center in Thailand [1]. Which in turn use some random provider [2].

It isn't really something hidden. In fact I would say that the whole idea is well supported by a significant part of voters who do not want government to do things, nor have restrictions on companies. If we limit the scope to just politics, Stockholm County had probably the most prominent scandal in the last couple of decades with Nya Karolinska, yet essentially lost no voters in the last election.

It is easy to blame politicians, the government or even companies. But at the end of the day there aren't enough people requesting quality or responsibility.

[0] https://www.medhelp.se/outsourcad-1177-tjänst-är-effektivast [1] http://www.medicall.nu/hem-1.aspx [2] https://www.voiceintegrate.com/se https://www.applion.se/


But blaming politicians, the government and companies is the way to request responsibility, isn't it? Without the political pressure you can request whatever you like, but to a little effect. And as outsourcing work like this is totally illegal under GDPR, it's definitely up to the government to enforce it's laws on it's own contractors, and it's up to companies to suffer the consequences of not treating peoples privacy seriously. The blame here is 100% real.


I touched upon this in my other comment. I don't think it is wrong to criticize, but there can't be meaningful change unless you actually allow yourself to address the problem. It is a bit hard to explain if you haven't experienced Swedish politics lately. I'll just give you some examples:

1. The same county awarded contracts for building a hospital were the cost ended up quadrupling to $6 billion more than initially expected. (They got reelected). https://www.thelocal.se/20180207/finance-minister-calls-for-...

2. There was a well publicized scandal a little more than a year ago were aggressive outsourcing ended up potentially exposing classified data. (Some politicians did have to quit, but only for handling situation poorly after the fact). https://www.thelocal.se/20170721/it-workers-in-other-countri...

3. "Sweden has had a quicker liberalisation than any other advanced economy in the world, in terms of privatisation and deregulation" https://www.thelocal.se/20120324/39864

4. Yet, "They were shocked to find that there is very little evaluation of the effects of the privatisation on Swedish society" https://www.thelocal.se/20110907/36006

5. And maybe the most glaring example of dysfunction, the housing market. https://www.telegraph.co.uk/personal-banking/mortgages/swede... https://www.thelocal.se/20170518/housing-crisis-forces-recor... https://www.thelocal.se/20170828/the-story-of-swedens-housin...

There just isn't much of an expectation of control, or that issues will be dealt with, these days in Sweden. It is unlikely that there would be any meaningful change in this situation either. Any effective change will be off the table and they will continue to outsource without much oversight because that is the agenda. Which is largely what has happened in other areas.


Hey, don’t forget some goodies:

1.1. The hospital is built and operated according to guidelines and specifications set by a consulting firm that had no previous experience building hospitals.

It’s been a cluster fcuk with things missing or completely out of place.

1.2: Appointed Head of operation was a previous employee of the aforementioned consulting firm. More than 80% of the billing from said firm lacked specification but was of course approved by... drumroll ...head of operation!

There other interesting bits as well, but these stood out to me at the time.

It’s all frankly a brilliant piece of right wing “entrepreneurship”.


I just wanted to add, if I came across as criticizing, that I do agree with you. I do think the county is at fault. I do think people should expect more. I am just not seeing people doing that.

Sweden was never perfect, but some of its reputation as a functional country is not unfounded. Today we have many systems we know aren't working, yet little is being done. I have even heard Swedish political analysts being dumbfounded that some political issues were there are obvious flaws, and should be something that matters to people, don't show in the polls. I guess it might have to do with the political landscape, were there are a large number of people that very likely are dissatisfied. It just doesn't, because of the polarized situation, result in change. Instead it results in whatever is less objectionable, which is mostly whatever made the situation bad in the first place.

Anyway. I hope this incident get some more attention in Swedish media.


Apparently Computer Sweden, the newspaper reporting on this is getting sued by Medhelp now.


Maybe the phone company responsible needs to have its licence revoked without compensation.


Phone company?

It's the comapny employing nurses receiving the calls.


I guess "phone company" is used here loosely, to describe the provider of VoIP call center and recording service provider employed by the service (which is owned by the municipal/county co-operation organisation SKL, Sveriges Kommuner och Landsting).


Ah that's the reason you exert the maximum pain at a high enough level - then the phone companies will take security properly and enforce it on third parties.


There is nothing a phone company could have done here. They are not liable at all.


If I record a phone call between you and me, then put said recording on pastebin or what not, can you honestly blame your phone company or mine?


Yep. My calls with personal identification number are absolutely in there, with list of 10+ medications, and medical history including genetic disorders and other things.

Imagine becoming a public person in the future with random russian mobs blackmailing me based on me and my family's medical history.


> My calls with personal identification number are absolutely in there

Is this an assumption, or were you able to find a list of leaked calls somewhere?


If so, please provide details on how can verify if my details are in there as well.

Slightly pissed of Swede who called 1177 just last week here. Still I'm glad this happened after GDPR, this means everyone who's personal details were compromise should have plenty of legal options right now.


Check what time of day your call happened. Daytime? Then its probably not stored.


GDPR doesn't give you any legal option aside from asking your data protection authority.


Check out Art. 82, right to compensation. I would also be disappointed if this did not turn into a class action.


[flagged]


Maybe you were raped but don't want everyone to know, but you spoke to your doctor about psych referral for rape victims? Or you had a mental health crisis? Or you had/have sexually transmitted diseases/infections? Maybe you've been suicidal, and work will fire you if they find out? Perhaps you have cancer, a degenerative disease, but you don't want your family/employer/SO to know?

Seems like lots of possible blackmail opportunities.

But even something like having an ulcer could be used against you. I recall one national ruler using another's fear of dogs to humiliate them as part of a negotiation. Give someone food to inflame their ulcer prior to a business negotiation, use their discomfort to wrong-foot them ...


I keep seeing your account closely correlated with low quality and/or un-informed comments, could you please try to do a little better? Thanks!


No.


Latest news: The company with the security breach reports the reporter and news organization to the police for unauthorized entry into their computer system:

https://www.dn.se/sthlm/medhelp-polisanmaler-tidningen-compu...



Seeing posts like this remind me of a nice quotation I saw somewhere, which is like "all data will eventually be either public or gone forever". Unfortunately my search skills are insufficient to find the exact wording or author.


I'm okay with that: when I'm dead, do with my data what you will (of course, so long as anyone implicated like chat partners in chat data, are also dead). But I guess the quote refers to shorter timespans than that.


Except with medical history, your data can impact your children and grandchildren (both positively and negatively, but also hopefully privately regardless).



Their router admin page and ssh are also open to the internet.


So, who thought it was a good idea to record these in the first place and then to store them on an internet facing server? It doesn't surprise me one bit though.


Recording the calls could even be a requirement. You call in to get medical advice, then later decide the advice was wrong and sue them for malpractice. Recordings of the calls could be crucial to deciding the case later on.


That's Sweden, not the USA.


Such requirements do exist in Sweden, too.


hacking things together in an agile environment :') just deploy to production. no worries! be happy!


With the level of IT competence displayed here, I doubt they've even heard of Agile.


Why would you even record these calls indefinitely, without a deletion schedule?

Were they recording all calls, not just a subset to be audited for customer service?

Why not have an auditor listen to the call live and destroy the recording if everything is done by the book and evidence need not be retained?


Medical advice over the phone?

What happens when someone dies, or gets worse? One of the first things you'll want to know is what advice was offered. I would imagine they had to record all, and keep for some preset period.


Oh yeah, I don't think it's weird that it's recorded, but having it delete after X days is so simple I'm shocked it wasn't implemented in a Nordic country w/ strong privacy laws.

On the upside, at least it's probably harder to sift through that data to find embarrassing and/or sensitive information than if it was textual.

(This is one reason that if I'm having a personal issue, I prefer to do a voice call with a friend rather than use IMs like many in my generation are so fond of)


The site hosting this seems to be dead, probably from the load but hopefully from action taken by the company now that it's public knowledge. Does anyone have a list of the affected phone numbers? I would like to check if mine is in there


The government can't fine itself I guess, so it would have to be the EU that fines sweden? Or some kind of class action from swedes?


Government is not the justice system. It is one of the basis of Democracy: separation of power. You can absolutely take your government to court (at least in democratic country).

Class action doesn't exist in all country though. Each person that want to sue the government might have to do it in his own name.


Why not fine the company, Medicall, responsible for taking the calls? Or Voice Integrate Nordic, who supplied the callcenter-system, depending on who is at fault.


A class action is not likely. Most Swedes will probably see this as a minor setback and just move on.


My whole family (not affected, btw) is livid. I didn't even bring it to their attention.

I am going to say the exact opposite: this will be one of the most widely publicised health care scandals since forever.


I agree, it will definitely be the largest health care scandal in Sweden's history, but it will most likely not end up with a class action lawsuit.


I'm not clear on why medical records are so sensitive. I can understand some people might want to hide HIV status - but is there anything else? In the US people have wanted to hide prior conditions from insurance companies, but I wouldn't expect this a problem in Sweden.


You must live in a community of very private people, if you haven't knowingly encountered anyone struggling with fear of stigma wrt addictions, common STDs, mental illness, neurodevelopmental disorders, infertility, harmful paraphilias, terminal illness, domestic violence etc.

It's a deep-seated tendency in mammals to hide sickness, and therefore the confidentiality in healthcare settings is essential to get people to seek care in time.


STDs in general are sensitive since people may want to hide them or hide the implications. Abortions are sensitive as well depending on the social group.

If you're underage you may especially want to hide those two from your parents depending on the social group. If you're a woman you may also want those two hidden from your family depending on the social group. Sweden has a large refuge population from very conservative cultures and things like acid attacks against women are decently common. So not keeping those thing hidden can get you killed or horribly injured if you're in certain social groups.


> and things like acid attacks against women are decently common.

Wait, what? Where's your source on this.

Via google I can find references to one case from 1997 and one from 2002, and that's it. The idea that this would in any way be "decently common" here is preposterous.


Acid attacks are not common, but a lot of young immigrant women live under quite repressive family conditions, and can not see a doctor for their sexual health with their family knowing about it.


There are other, more recent cases of acid or threat of it, eg [1], though I'd say acid attacks are not particularly common in Sweden. Many more cases in UK, for instance. There are more actual cases of defenestration ("falling from the balcony") in Sweden.

In any case the leak of health information is nothing to laugh at e.g. for those who live under threat of "honor violence".

[1] https://www.na.se/artikel/hallefors/man-i-hallefors-anhallen...


https://en.wikipedia.org/wiki/Acid_throwing#United_Kingdom

London Metropolitan Police showed a sharp rise in attacks, with 465 recorded in 2017

Particularly common in London, and amongst some immigrant communities. Other countries are not so far behind, and I gather it is quite common in some of the developing world, like India and Pakistan.


In the UK it seems it has mostly been a weapon among criminals more than a honor thing that is more common in the developing world.


This probably is due to incentives - carrying a knife may bring a long prison sentence, carrying a bottle of acid or lye as weapon did not. UK changed sentencing guidelines last year.

https://www.bbc.com/news/uk-43225911


Now, sure, especially in London. It's grown as a weapon of choice phenomenally quickly over the last 5 years, from almost nothing.

Seems like it may have been noticed being used for honour attacks in communities in London, Bradford, Leicester etc, and escalated from there. A particularly horrible form of attack.


Personally, my medical status is something that multiple people in the mainstream media have said they support harming me over, and people do get assaulted for. If my medical status were not protected, I would be treating myself (semi-illegally) without the care of a doctor, which is supposedly something we don't want.


There is many example why medical record is a very sensitive data.

You can be blackmailed because you have or had a "shameful" disease, a potential employer can deny you a job because you were too often sick for his own taste, insurance might deny you because you have a too risky profile, ...


None of those scenarios are viable in Sweden.


Because Swedes are uniquely morally upstanding and non-judgemental?


No, we're highly judgemental, but an employer is not allowed to inquire or make hiring/firing decisions with regard to your health status. Likewise life insurance might have a higher premium if you regularly engage in extreme sports, but they can't deny you. Health care is ubiquitous regardless of your condition.


And how would you know that an employer refused you a position because of your health record ?

These kinds of laws exists in most country, but if you cannot prove it, they are useless. So if a employer has a public access to your health record, what you prevent him from doing the above and tell you a random reason ?

There was a case in France were an Ikea director has access to private police record and was making hiring decision based on that. It's completely illegal but they did it for years before getting caught.


And blackmail is also not allowed, so that's covered too.


Sorry, but this sounds a little naive, in the Annie Lööf style: "In Sweden, it's forbidden to be a criminal".


Health care insurance, privat sjukvårdsförsäkring, can deny you. Talk from experience.

Makes a lot of sense as well, anything else would be weird. If this was not the case you could just get it when you have already been deemed sick, to get the faster private care instead of public health care.


You seem to be missing the point. The boss does not have to enquire if the information is already public!


I understood the point. If an employee/applicant felt they had been discrimitated against and reported it there would be an inquiry and serious financial/social consequences. Hiring is a lengthy process and firing is very difficult.

Lots of information is available in Sweden that would make Americans squeemish to have public. The difference is that most people aren't interested in the sordid details of their neighbors.


So do you then think it's legal in the U.S to possess stolen health data?


Quite something that we are now at the part of the privacy debate where the argument is "well, why do you care about private medical records? shouldn't this be public?"


I'm also interested if OP will post their medical history, since they don't mind it being public. But I doubt anyone making that argument would actually do that.

Kind of a rough argument, but maybe it's just because they have never been beaten or harassed over something about their medical history. Which is good for them, but not the world most of us live in.


Thanks for the replies on this. I was really thinking of my friends and family, I think I know most of what people have had, including abortions, mental illness, cancer etc. I can now see how others can have serious problems with abuse, harassment or unwanted publicity of private issues.


Well for one thing, there are many medical conditions that can be embarrassing when shared with non-medical professionals. Do you really want your neighbor finding out about that rash or fungus you called about?


One reason health data is so valuable is that the older you are, the more problems you have. For example, neurodegenerative diseases can be serious, and when they begin to develop the patient may still be working! Imagine if your boss found out that you had ~2 good years left.

Even worse, people with dementia are prone to being scammed. We need to do everything possible to stop adversaries and scammers from having a list of people with neurodegenerative disease. Unfortunately, most people have little fear of their health data being hacked and hospitals have little incentive to protect it. Although I hear things are "getting better," the protection of you health data remains in a terrible state.


There are many more embarrassing medical conditions other than HIV status.



blackmailing famous people by obtaining their medical records is a lucrative business. they might want to hide much more mundane things than HIV. (pregnancy, some accident which happened, drug related incidents etc. etc.)


Politicians as well, that's a much more direct lever on society.


I remember there was a case in the US where a girl was travelling to America, and the TSA took her phone and went through her email and found out about her previous drug addiction and refused her visa because of this.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: