Berkeley medical records breach

| Comments (2) | SYSSEC
Oh, this is just great:
BERKELEY -- The University of California, Berkeley, today (Friday, May 8) began notifying students, alumni and others that their personal information may have been stolen after hackers attacked restricted computer databases in the campus's health services center.

The databases contained individuals' Social Security numbers, health insurance information and non-treatment medical information, such as immunization records and names of some of the physicians they may have seen for diagnoses or treatment.

UC Berkeley administrators pointed out that the hackers fortunately did not access University Health Services's (UHS) medical records, which include patients' diagnoses, treatments and therapies. Those records are stored in a separate system and were not affected by this crime.

First, since when are immunization records and the names of the physicians you've seen not treatment information? Even if you don't know my diagnosis, which doctors I saw still leaks potentially sensitive information about my medical history. If my records show that I saw an oncologist, it's a reasonable guess that I have cancer. If my records show that I got vaccinated for Hep B or plague, you might reasonably deduce something about my risk factors. And of course the sheer number of visits (based on the rest of the page, the dates of visits seem also to have been leaked) isn't exactly uninformative; if I'm seeing a doctor every week, something is probably wrong. I'm not saying Berkeley necessarily did anything wrong by having this information on this computer—it's got to go somewhere—but this stuff sure seems sensitive to me.

One might also ask why my medical billing records need to contain my SSN. Apparently they're using it as some sort of patient locator, but that's not what I would ordinarily call good practice (distressingly common, though, and apparently that's their excuse).


I'm guessing that someone has solved the problem of having to use SSNs as cross-organizational unique identifiers. That is, if I have UC Berkeley Patient ID x, and I need to map it onto Kaiser Patient ID y but I don't want to keep SSNs in the same records as either patient IDs in each system, can I still use that to make the linkage (nightly encrypted something or others).

Or is it time to declare defeat and work towards being able to not consider SSNs as sensitive?

Joe, yup, I think there's a lot of research along these lines. One entry into the literature is the term "private matching."

Leave a comment