[BreachExchange] Confidential Medical Information Can Be Exposed

[Audrey McNeil]

https://www.lifehacker.com.au/2017/12/confidential-medical-
information-can-be-exposed/

A team from the University of Melbourne has been able to take de-identified
data of 2.9 million Australians and put it back together to identify who
the data pertains to. This has potentially placed the personal data on more
than one in ten Aussies in public, with sport stars and other public
figures likely to be targeted.

The data comes from publicly accessible and de-identified Medicare and
Pharmaceutical Benefit Scheme (PBS) data. By using easily accessed data
such as dates of birth and when people had particular procedures the
researchers have been able to reconstruct quite personal information. The
Office of the Australian Information Commissioner (OAIC) has said they are
investigating the matter.

The report, published by Dr Chris Culnane, Dr Benjamin Rubinstein and Dr
Vanessa Teague from the University of Melbourne's School of Computing and
Information Systems said, "We found that patients can be re-identified,
without decryption, through a process of linking the unencrypted parts of
the record with known information about the individual such as medical
procedures and year of birth".

With so much data being collected today, one of the promises that many
agencies have made is that any data that is put into the public domain will
be de-identified so individual privacy can't be compromised.

Based on the research of the Univeristy of Melbourne team, this is plainly
a flawed claim. Although it might be possible to de-identify one data set,
the tools and methods now exist to take multiple data sets and assemble
them to glean more information than was previously realised. While the
OAIC's investigation is not new - it was launched over a year ago - the
consequences of this data sharing and how it might be misused should be of
significant concern to everyone, particularly as we move into a new era
where electronic heath records are being created for every Australian
unless they specifically opt out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171218/a215502e/attachment.html>