May 11, 2009, 11:56AM
Who decides what health data is sensitive?
Comment The massive UC Berkeley data breach reported last week exposed the sensitive health information of more than 160,000 Berkeley students, alumni and others who used the school's health system. Berkeley officials said that the breach did not expose the victims' treatment information, an assertion that is leaving some security experts wondering exactly what constitutes sensitive data.
Berkeley's advisory on the data breach said that the attackers had access to the victims' immunization records, Social Security numbers and the names of doctors the victims visited. As Eric Rescorla points out on his Educated Guesswork blog, that data may not explicitly spell out what a specific patient was being treated for, but there's enough information for an observer to make informed guesses.
Editor's Pick
First, since when are immunization records and the names of the physicians you've seen not treatment information? Even if you don't know my diagnosis, which doctors I saw still leaks potentially sensitive information about my medical history. If my records show that I saw an oncologist, it's a reasonable guess that I have cancer. If my records show that I got vaccinated for Hep B or plague, you might reasonably deduce something about my risk factors. And of course the sheer number of visits (based on the rest of the page, the dates of visits seem also to have been leaked) isn't exactly uninformative; if I'm seeing a doctor every week, something is probably wrong. I'm not saying Berkeley necessarily did anything wrong by having this information on this computer—it's got to go somewhere—but this stuff sure seems sensitive to me.
It's a great point. You don't need to have all of the pieces of the puzzle to see what the final solution will be. This brings to light the question of what comprises sensitive data. The data breach notification laws have their own definitions, but those don't necessarily fit the bill, as Rescorla shows. More thoughtful analysis of this is needed, especially when it comes to cases like the Berkeley breach.
Commenting on this Article is closed.
Today's Most Popular
- Yahoo Includes Private Key in Source File For Axis Chrome Extension
- Researchers Unveil New Way to Trust Certificates
- DNSChanger Lingers: 330k Systems Still Infected, 77,000 In The U.S.
- FBI Warns Top Firms Of Anonymous Protest Hacks on May 25
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
Most Commented Stories
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (10)
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (14)
-
Facebook Cancellation Malware Disguised As Adobe Update Making Rounds (3)
-
HULK DDoS Tool Smash Web Server, Server Fall Down (4)
-
How to Break Google Chrome in Six Easy Steps (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
21%
Only connect to password-protected, secure connections
39%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 70
Follow Threatpost
 |  |  |  |
| Tumblr |
