The massive UC Berkeley data breach reported last week exposed the sensitive health information of more than 160,000 Berkeley students, alumni and others who used the school’s health system. Berkeley officials said that the breach did not expose the victims’ treatment information, an assertion that is leaving some security experts wondering exactly what constitutes sensitive data.
Berkeley’s advisory on the data breach said that the attackers had access to the victims’ immunization records, Social Security numbers and the names of doctors the victims visited. As Eric Rescorla points out on his Educated Guesswork blog, that data may not explicitly spell out what a specific patient was being treated for, but there’s enough information for an observer to make informed guesses.
First, since when are immunization records and the names of the physicians you’ve seen not treatment information? Even if you don’t know my diagnosis, which doctors I saw still leaks potentially sensitive information about my medical history. If my records show that I saw an oncologist, it’s a reasonable guess that I have cancer. If my records show that I got vaccinated for Hep B or plague, you might reasonably deduce something about my risk factors. And of course the sheer number of visits (based on the rest of the page, the dates of visits seem also to have been leaked) isn’t exactly uninformative; if I’m seeing a doctor every week, something is probably wrong. I’m not saying Berkeley necessarily did anything wrong by having this information on this computer—it’s got to go somewhere—but this stuff sure seems sensitive to me.
It’s a great point. You don’t need to have all of the pieces of the puzzle to see what the final solution will be. This brings to light the question of what comprises sensitive data. The data breach notification laws have their own definitions, but those don’t necessarily fit the bill, as Rescorla shows. More thoughtful analysis of this is needed, especially when it comes to cases like the Berkeley breach.