Data Encryption Software: TX Dept Of Health Sells Data, Recipient Uses It For Non-Research Purposes.

I’ve mentioned in the past that data encryption ought to be considered for seemingly trivial–yet personal–data, in certain cases.  For example, if a massive database of e-mail addresses is breached…so what, right?

On the other hand, that’s what happened to a few years back, and that seemingly trivial information was used to infect people’s computers with a Trojan: an e-mail from was spoofed, encouraging members to download a new “toolbar” that would enhance their experience.

It’s just one example of the things that can be done with seemingly trivial information.  I’ve also mentioned a number of other scams that exploit data that most don’t consider sensitive.

Today, I’d like to add another one to my list, although I’m not sure the perpetrators will admit to it being a scam (it sounds like one, though).  And, man is it a doozy.

Texas Department of State Health Services Sells Data

The Texas Department of State Health Services (DSHS) is mandated with enforcing the protection of patients’ health records.  However, it is also allowed to sell patient information for research purposes.  It’s also allowed to sell data for non-research purposes, as long as the information is de-identified, i.e., personal details are substituted with other unique identifiers.  For example, a person’s name might be substituted with an internally created identifier such as “A99S2ISNN.”

The idea is to give people a chance to use massive databases to identify trends: for example, residents of a particular zip code have higher incidences of a particular type of cancer (why?), or people of in a particular age range have lower incidences of heart disease compared to people from 10 years ago in the same age range (again, why?).  The data can become a powerful tool for figuring out better health practices and policies, among other things.

It can also be used for other stuff.  Here’s how America’s Health Insurance Plans got embroiled in a scam after obtaining the same data (they got the “research” version, which does not de-identify data):

The group gained notoriety in 2009 when a New England newspaper discovered AHIP’s political-marketing consultant was in fact the author of numerous letters to the editor railing against health care reform. The letters were signed with the names of local citizens who, the newspaper learned, had not written the letters and objected to the use of their names without permission. []

Of course, you’ll notice that technically this was not AHIP’s doing: a consultant did it.  And, there’s the issue on whether this constitutes a scam, or merely just deceit.  (Sounds like a scam to me…and, why use real names?  Why not make them up?  Sheesh, some people…)

Anyhow, the above is just another way that seemingly trivial information can be used for less-than-innocent purposes.  It’s also a situation where the use of encryption wouldn’t have an impact at all.

Encryption software like AlertBoot would have been less than useful in this case because the information was legally obtained (but illegally used…I’m pretty sure it must have run afoul of any contractual agreements between AHIP and Texas DSHS).  I mean, you could deliver the information in encrypted form–always a good policy–but the appropriate passwords would also be provided, rendering the point moot.

On the other hand, it just confirms the fact that there are situations where encryption cannot be counted on for data security: when people who’ve been authorized to access data turn out to be the same people who you’re trying to keep out.  This, among other reasons, is why any good data security policy combines different layers of security (such as keeping tabs on who accesses data by keeping logs and running periodic audits).

Related Articles and Sites:

Comments (0)

Let us know what you think