This week, one of the largest health care providers in the State of California emailed to me the entire 101 page medical records of one of their patients. I have no relationship with this health care provider and do not live in California.
- In 2018, how is it possible that a major health care provider would send protected patient information (PHI) over unsecured email? This boggles the mind.
- In 2018, how is it possible that a major health care provider is sending PHI to an unverified email address? Mind blown.
By sending someone’s medical records to a random stranger on the Internet (me), this health care provider lost all control of their patient’s medical records.
I informed the provider and I also filed a HIPAA violation complaint with the U.S. Department of Health and Human Services, Office of Civil Rights, which enforces the HIPAA privacy requirements. (If you know of health care PHI privacy violations, you can file a complaint with the information provided here.)
Because this medical record landed in my GMail Inbox, we know that Google’s artificial intelligence software scanned, analyzed, interpreted and took notes about what was contained in the record.
This health care record has nothing to do with me but what ever is in that record has now likely been incorporated into Google’s dossier on me. The result is that the Google database of what they think they know about each of us becomes more and more inaccurate over time. Since I receive a large quantity of misdirected email, the Google dossier is likely messed up.
Google claims their dossier is not for sale and is used only by the Google Ad network for ad placements. Presumably the ads shown will be shaped by the incorrect information they have collected.
This has interesting implications for privacy.