When you change your privacy settings and opt out of data sharing and tracking, do you trust that these agencies and companies will fulfill their end of the bargain?
I know, there are tons of user agreements to dig through, but most of the time, when we tick off that “opt-out” box, we are confident that our private data is safe and sound.
However, as proven time and time again, all it takes is a single software glitch to compromise your data. Whether it’s your financial information or your private health data, it seems like nothing’s completely safe anymore.
Two recent breaches have exposed data in the U.K. and the U.S. The British breach affected 150,000 patients and the U.S. breach in Michigan may have exposed almost 900 patients after a laptop was stolen.
University of Michigan exposure
Michigan Medicine at the University of Michigan has said around 870 patients were affected by a health-care data breach that involved the theft of an unencrypted laptop from an employee’s car.
The theft occurred on June 3, and Michigan Medicine was notified on June 4. The employee’s car was broken into and his bag, which contained the laptop, was stolen. The laptop was password protected but not encrypted.
The laptop contained protected health information that was collected for research, such as patient names, birthdates, medical record number, gender, race, diagnosis and other treatment information.
The university says the laptop didn’t contain patient addresses, phone numbers, Social Security numbers, payment card numbers, or bank account numbers.
Michigan Medicine said it believes the risk of fraud is low.
The U.K.’s National Health Service (NHS) is blaming a software coding error for its latest data breach, which led to the exposure of the personal records of around 150,000 patients.
The affected patients have reportedly requested a processing type called “Type 2 objections,” (also known as Type 2 opt-outs). With this selected, their health data should only have been privately used to provide them with care.
Unfortunately, a glitch caused this request to be omitted by NHS’s systems and the supposedly private data was inadvertently used in clinical audits and research.
NHS Digital stated the system provided by clinical software developer TPP contained a “defect” in the processing of the patients’ objections to the sharing of their confidential health data.
The software issue caused all 150,000 Type 2 objections sent between March 2015 and June 2018 to be ignored, and they were, in fact, not sent to NHS Digital.
This means the opt-outs were not upheld by the NHS when the data was distributed between April 2016 and June 2016 and the patients’ personal records were used without the necessary authorization.
The issue has been rectified
In a written statement, the Parliamentary Under-Secretary of State for Health Jackie Doyle-Price stated, “since being informed of the error by TPP, NHS Digital acted swiftly and it has now been rectified.”
NHS Digital also informed the Department of Health and Social Care of the system glitch on June 28.
The department has started sending notices to the affected patients concerning the issue and it is reassuring them that the opt-outs are now in effect.
Doyle-Price also stated that no patient was put at risk because of the software glitch. Additionally, the U.K.’s new National Data Opt-Out system should prevent this kind of error from happening again.
“As part of our commitment to the secure and safe handling of health data, on 25 May 2018 the Government introduced the new national data opt-out. The national data opt-out replaces Type 2 objections,” Doyle-Price wrote in an official statement.
Doyle-Price added that with this new system, patients have more direct control over their data privacy settings and “therefore will prevent a repeat of this kind of GP systems failure in the future.”
Interestingly, this new opt-out system was launched on the same day as the new European GDPR data protection rules took effect.
For their part, TPP apologizes for the error and it will continue to work with the NHS to ensure that these kinds of errors will not happen again.
However, this incident is yet another reminder that the privacy of our data is susceptible to system errors that are beyond our control.