Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Facebook Privacy Social Networks Technology

Facebook Was in Talks With Top Hospitals Until Last Month To Share Data of Most Vulnerable Patients (cnbc.com) 108

Facebook was in talks with top hospitals and other medical groups as recently as last month about a proposal to share data about the social networks of their most vulnerable patients, CNBC reported on Thursday. From the story: Facebook was intending to match it up with user data it had collected, and help the hospitals figure out which patients might need special care or treatment. The proposal never went past the planning phases and has been put on pause after the Cambridge Analytica data leak scandal raised public concerns over how Facebook and others collect and use detailed information about Facebook users. "This work has not progressed past the planning phase, and we have not received, shared, or analyzed anyone's data," a Facebook spokesperson told CNBC. But as recently as last month, the company was talking to several health organizations, including Stanford Medical School and American College of Cardiology, about signing the data-sharing agreement.
This discussion has been archived. No new comments can be posted.

Facebook Was in Talks With Top Hospitals Until Last Month To Share Data of Most Vulnerable Patients

Comments Filter:
  • by b0s0z0ku ( 752509 ) on Thursday April 05, 2018 @01:44PM (#56388385)

    If it can be matched up with real-world profiles, it's no longer anonymous. If the hashing DOESN'T work correctly, the wrong people could be labeled with health conditions, and God forbid this data is re-sold to insurance corepirations.

    This seems like a HIPAA nightmare, and if this goes forward, this needs to be slapped with a restraining order by HHS. This is a borderline criminal idea and should be treated as such.

    • by Anonymous Coward

      HIPAA like most laws is around to be wield like whip towards the peons. Monied interests like Feciesbook have little to worry about.

      • by b0s0z0ku ( 752509 ) on Thursday April 05, 2018 @02:02PM (#56388463)
        Depends who's in charge. I dislike Trump's authoritarianism, but think his hatred for the tech industry is useful. If he can destroy or slow down the growth of the ad-supported, privacy-sucking tech firms like Facebook, Google, Microsoft, Apple, Amazon, etc, then that will be one of the few good things his administration has done.
        • by PopeRatzo ( 965947 ) on Thursday April 05, 2018 @02:20PM (#56388579) Journal

          I dislike Trump's authoritarianism, but think his hatred for the tech industry is useful. If he can destroy or slow down the growth of the ad-supported, privacy-sucking tech firms like Facebook, Google, Microsoft, Apple, Amazon, etc, then that will be one of the few good things his administration has done.

          Does he want to "destroy or slow down the growth" of these companies, or bend them to his will?

          He didn't seem to have any "hatred for the tech industry" when it comes to what Robert & Rebekah Mercer are doing with Cambridge Analytica.

      • An A.C. said

        HIPAA like most laws is around to be wield like whip towards the peons. Monied interests like Feciesbook have little to worry about.

        You are so right, it's scary.

        In my city, the cops have a one way data flow from the hospital's computers. The idea that it is of some benefit, some 'special care or treatment' for the patient is absurd. And it's more than just data mining to match patients with crimes. It involves identity processing and crime prevention via predictive analytics, doing things like estimating emergent crime trends and matching them with pools of potential suspects. Hospital records aren't the only thing they v

        • Under HIPAA, this generally requires a warrant or specific exigent circumstances. "Open line to data" is illegal.

          If you're aware of this situation, I strongly encourage you to leak it to the press and also file a report with HHS. Anonymously if needed. Whistleblowers are heroes.

          • Yes, either Humbubba is total BS or that hospital and PD are in big trouble. There is a pass through for law enforcement, but only to prevent a crime from occurring or to help with patient care in specific instances. No way can you have a 'one way data flow'.

            • Also, such a situation may (likely) be a Federal crime. Failing to report it to the Federal D.A.'s office or HHS may in itself be a Federal offense, especially if one is employed by any of those organizations. If I were in that situation, I might be speaking to a lawyer...
          • b0s0z0ku says

            Under HIPAA, this generally requires a warrant or specific exigent circumstances. "Open line to data" is illegal.

            I am outraged at this as much as I am awestruck by these practices. If I'm reading this wrong, and this line to hospital records is illegal, someone please let me know. I am pro-privacy, in spite of the times we live in. None the less, this is how I read the law:

            Under HIPAA, medical information can be disclosed without an individual's permission to "any government official at any level of government authorized to either investigate or prosecute a violation of the law." This applies to doctor

            • See also:
              "HIPAA permits the police to use an administrative subpoena or other written request with no court involvement, as long as police include a written statement that the information they want is relevant, material, and limited in scope, and that de-identified information is insufficient."

              Giving police a "direct line" to hospital systems sounds like it's NOT limited in scope, and does NOT require a written statement of relevancy. Correct me if I'm wrong. If the police and/or their software are li
              • I'm looking at documents right now that specifically say state law requires disclosure of confidential medical information or records to certain people upon demand. Law enforcement is included in the term 'certain people'.

                There is a lot more. Considering this and my limited abilities, perhaps an attorney is the way to go.

                • "Upon demand" means a properly formatted, WRITTEN demand stating valid reasons why the information is needed, and the specific, narrow range of information required.

                  i.e. "We require any blood alcohol test results you may have on John Q. Doe, male, DOB 3/4/1956, due to him being involved in a fatal motor vehicle accident with suspected DWI."

                  Also, HIPAA applies nationally -- state law can't be LESS restrictive than its requirements. In any case, responding to specific requests is legal. Giving cops authoriz

                  • 'Upon demand' is going to be generally require that properly-formatted, WRITTEN demand be in the form of a warrant--if this isn't technically required by the local laws, the people who are legally responsible for keeping those records private will insist on one for their own protection. As long as they can say they were legally compelled to release the records, they're in the clear.

          • Bullshit. I've read the HIPPA disclosures from a major couple major hospital systems. They explicitly state that they WILL share your "private" data with the pigglies, Uncle Sam, insurance companies, and pretty much any other evil institution that asks.

            The only group who are prevented by HIPPA from accessing your medical data are... medical researchers. You know, the one group that most people *want* their data shared with.

            HIPPA is a crock of shit. It does very very very little of benefit to patients. But i

    • Indeed, HIPAA will do nothing to protect your privacy in these situations. If a hospital decides it wants to share everything about you with North Korea, it's all cool as long as they sign the right contract and can self justify it. If an insurance company wants to get all of your data from the local casino, even easier. In theory, I guess this should make people think before they throw your personal data around, but all it really does is create a paper trail.
      • by mysidia ( 191772 ) on Thursday April 05, 2018 @02:17PM (#56388559)

        Indeed, HIPAA will do nothing to protect your privacy in these situations.

        HIPAA prevents your Medical Provider, Insurance company, or other covered entity from RELEASING or DISTRIBUTING your medical records/Protected Health Information. It does NOTHING to restrain them from GATHERING or IMPORTING records/data about you from other sources such as Facebook.

        Facebook is not a covered entity under HIPAA, because they aren't any kind of medical provider ---- so they aren't regulated in any way by HIPAA; therefore if you post something related to your own health there on your own Facebook page: they can share it however they want according to the Terms of Use that users agree to when using Facebook's website. There's nothing that would prevent Facebook from distributing your information to a
          Hospital.

        • by b0s0z0ku ( 752509 ) on Thursday April 05, 2018 @02:22PM (#56388599)
          Except the article summary implies that the anonymized medical records would be released to Facebook, which would then attempt to match them with profile information. If they can be matched, they're not anonymized enough -- thus, HIPAA violation.
        • by Anonymous Coward

          It does NOTHING to restrain them from GATHERING or IMPORTING records/data about you from other sources such as Facebook.

          So, here's the problem with that ... information theory tells us that as soon as a medical provider downloads that information, it will leak information about you.

          That you are a patient of that facility is now known to Facebook. If that clinic is a specialist they can infer the nature of your condition. Which means Facebook can now start selling you ads for pharmacies, or possibly for d

        • Except that Facebook would quickly become a covered entity if they did this. They would be awfully close to a 'Health Care Clearinghouse'

          [quote]Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.[/quote].

          Even if they got a pass on that, they would certainly be a 'business associate' which are generally bound by HIPAA rules.

          • by mysidia ( 191772 )

            Except that Facebook would quickly become a covered entity if they did this. They would be awfully close to a 'Health Care Clearinghouse'

            They would not be a clearinghouse. Clearinghouses perform processing of information on behalf of other organizations. This means that they receive health data from a covered entity such as a healthcare provider, process the information On behalf of the other entities, and return it.

            Even if they got a pass on that, they would certainly be a 'business associate' whi

        • ...therefore if you post something related to your own health there on your own Facebook page

          The most pressing concern is that Facebook is getting info on people that DON'T post things on Facebook on their own. With Facebook talking to hospitals directly, isn't there a bit of a concern as to HOW they collect data on people without their knowledge, let alone consent?

          • by mysidia ( 191772 )

            With Facebook talking to hospitals directly, isn't there a bit of a concern as to HOW they collect data on people without their knowledge, let alone consent?

            If the project had gotten off the ground; it's possible the project could have collected data from both Facebook and the Hospitals, but
            Facebook itself wouldn't have been able to collect health data on people from the hospitals or the combined dossier to use for their own purposes, because of compliance issues.

            Of course the project never actually go

    • by Anonymous Coward

      I have a magazine subscription that is dedicated to getting around HIPAA :(

      Scary just how much you CAN do and still stay legal....

      FB probably found out the Hospital networks already outdid them on data collection and there was nothing legal left to find !

    • by DogDude ( 805747 )
      needs to be slapped with a restraining order by HHS

      Yeah, that's not going to happen. [wikipedia.org]
      • Trump and GOP'ers are generally politicized against "new tech" like Facebook, so it may very well happen.
    • Yes, this would violate HIPAA law. Even if in some alternate universe it didn't, it'd still be a terrible, intrusive, cringeworthy idea. Who comes up with ideas this awful? Social media people need to get out more.
    • by shubus ( 1382007 )
      I couldn't agree more. It is a totally outrageous invasion of privacy. And you just know that the hashing would be cracked.
  • by 93 Escort Wagon ( 326346 ) on Thursday April 05, 2018 @01:50PM (#56388407)

    Jenny Johnson is currently in Virginia Mason hospital, room 1231! If you know Jenny, click "Like" to send her your best wishes.

  • On the Bright Side (Score:4, Interesting)

    by techsoldaten ( 309296 ) on Thursday April 05, 2018 @01:52PM (#56388421) Journal

    On the bright side, such an agreement could work towards furthering our understanding of the root causes of a variety of medical and psychological problems.

    Facebook is nothing but an ad-funded spy network. It gathers information about billions of people. If there is any good to come from that colossal invasion of privacy, it would be preventative care.

    • Any such study can be undertaken with customer permission.

      Medical studies on unwilling subjects conducted by various authoritarian governments also helped us understand things like radiation poisoning, starvation, and hypothermia. The ends don't justify the means.

    • by lkcl ( 517947 )

      On the bright side, such an agreement could work towards furthering our understanding of the root causes of a variety of medical and psychological problems.

      slashdot story, 2019: ".... the study concluded that the root cause of the psychological and medical problems so endemic in society was: Facebook. in the opinion of the professionals consulted (those professionals willing to work ethically with the handful of *voluntarily* submitted and properly anonymised sources of data for the purposes of the study) they noted in particular that it was severely cognitively dissonant for people to know that their privacy was being regularly and routinely violated, yet t

      • Like I said, understanding the root cause of psychological problems is something we can achieve through data sharing.

    • Facebook is nothing but an ad-funded spy network. It gathers information about billions of people. If there is any good to come from that colossal invasion of privacy, it would be preventative care.

      Um... doesn't the first sentence preclude the possibility of the last?

    • Garbage in, garbage out.

      All of life's ills will be reduced to issues surrounding cat videos.

    • by AHuxley ( 892839 )
      Governments do that all the time for free as part of their health care system.
      An ad company just saw a way to dell data back to anyone who would pay.
      Medical care was not the result.
      Profit is the only factor.
  • I stay with my same old doctor because he refuses to put patient records down on anything but paper. Doesn't take insurance. Voting and health care need to go back-to-the-future and use paper! They should damn sure not be networked. That's how the Iranians hid their nuclear reactor for two years before Israel blew it up. They used paper. When they stopped and a scientist traveled through Europe with a laptop, they snagged it and found out. Networked computers are one of the least secure places to put any in

    • Then again, electronic medical records systems IF PROPERLY IMPLEMENTED can reduce error and make sure records are legible. BTW, the computers don't have to be networked to the outside world. Perfectly feasible to run everything on an airgapped Ethernet network with encrypted daily backup to a set of rotating SSD cartridges. Hardware is cheap in 2018, cloud or client/server isn't the only viable solution.
      • Then again, electronic medical records systems IF PROPERLY IMPLEMENTED can reduce error and make sure records are legible. BTW, the computers don't have to be networked to the outside world. Perfectly feasible to run everything on an airgapped Ethernet network with encrypted daily backup to a set of rotating SSD cartridges. Hardware is cheap in 2018, cloud or client/server isn't the only viable solution.

        We already know there are many ways to breach air gaps. Merely getting the required update for whatever database/billing/etc. software you run will involve you breaching the air gap. And of course, modern Intel CPUs come with built in, ON CPU WiFi / cell connections (yes, the antennas are good enough, no, you don't have control over it).

        And no, hardware is NOT cheap in 2018. And it won't be cheap in 2118. Cheap is relative. Remember - you're comparing to paper.

        • Let me repeat... hardware is cheap in 2018. A decent Intel NUC system with SSD can be had for under $500 and will last 5-7 years at least. Use them as part of a modular system with some acting as workstations, others as servers and backup devices. You can even buy them Ethernet-only, no built-in WiFi.

          Sure, an airgap can be breached with some work. It's also a hell of a lot less likely than an Internet-connected or cloud-connected system being breached. Technically, paper records can also be breached or

          • Let me repeat... hardware is cheap in 2018.

            No, it isn't.

            A decent Intel NUC system with SSD can be had for under $500 and will last 5-7 years at least.

            An NUC is a laptop in a box. They don't last 5-7 years. They're good for about 3 years.

            Use them as part of a modular system with some acting as workstations, others as servers and backup devices.

            You're a nut. Who's going to design such a system and maintain all the machines? How many NUCs do you need? Don't forget the monitor, keyboard, mouse, operating system, etc. for each one.

            You can even buy them Ethernet-only, no built-in WiFi.

            Not when the WiFi is built into the CPU. https://arstechnica.com/inform... [arstechnica.com]
            That shit has been standard in most Intel CPUs over the last few years. It's exposed/hidden based on SKU, like the ME shit.

            Sure, an airgap can be breached with some work. It's also a hell of a lot less likely than an Internet-connected or cloud-connected system being breached. Technically, paper records can also be breached or destroyed -- burglaries of medical offices happen.

            Airgaps don't exist when

            • (1) NUC has one moving part: the fan. If they're securely mounted to a wall or desk, there's little change of drop damage. They can easily last 5-7 years.
              (2) Who will design it and maintain it? Same people as design as maintain local (non-cloud) EMR systems now.
              (3) Doubt it about the wifi -- some NUCs still use a separate WiFi card. Besides, they'd need an open WiFi net to connect to.
              (4) You print on non-network USB printers or network printers that don't need Clown Print to work, same as people did

        • Paper is actually kind of expensive.

          Storage, secure disposal, filing.

          Don't forget filing. In a given year how many man hours are spent looking through a filing cabinet for so and so's file? God forbid if gets misplaced.

    • by kbonin ( 58917 ) on Thursday April 05, 2018 @02:10PM (#56388509)
      Enjoy having a doctor that tries to protect your privacy while you can.
      from New Hampshire: A doctor who won't use a computer loses her license to practice medicine [cnn.com]
  • Q told us "MZ" (Zuck the Cuck) would be stepping down from his position (willingly or not).

    When Q is proven to be correct yet again, what will you blue pillers do?

  • So the hospital could see from his FB-posts, that he not just has a broken leg but suffers from WhiteSupremitis and AntiSemitis and needs a few antiracism drips.

  • If this data could be construde as medical data and is being shared without patient content this could be a big problem
  • by Anonymous Coward

    From what I've read so far the whole Cambridge Anayltica thing wasn't a "data leak". It was business as usual except someone decided they didn't like how the data got used. That is becoming more apparently true as more stories like this one come out.

  • Facebooks business model is selling your data and access to the data via an search API. That is what you use to identify target groups and special people, like influencer, to coerce them into using certain services and buy products. While this is disgusting, it is not new. They did that before Cambridge Analytics and they do it now. And they are not the only ones doing so. All these platforms must be regulated heavily.

  • Allez, au revoir!
  • If we had an administration which was working for The People rather tha Big Corp and Oligarchs, these companies would be fined big money for each and every individual HIPAA violation, and the fines would be measured at minimum in tens of billions USD.

  • It's as simple as this:

    - Do NOT click any links in any emails.
    - Do NOT send money to any Nigerian prince needing help.
    - And definitely do NOT put ANYTHING up on the web that you are NOT willing to have shared with any other party.

    In case you haven't figured it out by now, trust very few people, and absolutely trust NO corporation or politician.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...