At a glance.

  • Research consent.
  • StoreHub database exposed.
  • Data breach at 90 Degree Benefits.
  • Hospital appointment app shares data with Facebook.

Revamping research consent forms in the digital world.

Wired takes a look at that tedious gatekeeper to medical research: the consent form. As the landscape of research has evolved, shifting from large, institutional studies to digital, patient-driven health movements, the traditional consent form has become outmoded. Legislation around consent forms has failed to keep up with the growing risks connected to medical research, and the limitless ways research data can be used in an age of ever-changing technology. Wired contends there needs to be a shift in the way consent forms are viewed, focusing more on the relationship between patient and researcher. Participants could be empowered by making them a part of the process as well as the conclusion, allowing them to engage with the research community through more interactive consent forms that give them the opportunity to make their own predictions about outcomes. Forms should also be used to increase awareness that in a world that grows more digital every day, participant data has a shelf-life that extends far beyond the end of the study.

StoreHub database found unsecured on the web.

The researchers at SafetyDetectives have discovered an unprotected Elasticsearch server owned by StoreHub, a Malaysian point-of-sale software vendor. The 1.7 billion unencrypted records were left wide open with no password protection. The exposed data includes full names, phone numbers, physical addresses, email addresses, device types, and order details related to the companies that use StoreHub’s products, as well StoreHub employee info. Safety Detectives say they detected the exposed server and reported it to StoreHub on January 12th, and after several follow-up communications, the server was finally secured by February 2nd. StoreHub’s account is a bit different, as a spokesperson told the Register, “Upon being informed of the occurrence on an Amazon Web Services (AWS) Elasticsearch instance, StoreHub took immediate action to patch and rectify the vulnerability within 24 hours.” It’s unclear whether the data was accessed by another party. 

Data breach at 90 Degree Benefits.

The Wisconsin division of a health benefits company 90 Degree Benefits has disclosed a February data breach that led to the exposure of customer data. JDSupra explains that employees noticed a system disruption on February 7, and upon investigation determined that an unauthorized party had gained access to files containing consumer data including names, dates of birth, Social Security numbers, phone numbers, addresses, and health information. The company began notifying impacted individuals last week.

Hospital appointment tracker shares data with Facebook.

An investigation from The Markup reveals that the websites of over thirty of the top one hundred hospitals in the US use a tracker called the Meta Pixel that is sending patient data to Facebook. Whenever a site visitor attempts to schedule a doctor’s appointment, data like doctor’s name and the patient’s condition is sent to the social media platform. For seven of the hospitals, Meta Pixel was installed inside password-protected patient portals and was collecting additional data like patient medications, descriptions of allergic reactions, and details about future doctor’s appointments. 

Some security and privacy experts say the hospitals in question could be found in violation of the federal Health Insurance Portability and Accountability Act, which prohibits hospitals from sharing personally identifiable health information with third parties without patient consent. David Holtzman, a health privacy consultant and former senior privacy adviser at the US Department of Health and Human Services’ Office for Civil Rights, stated, “I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it. I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.” A spokesperson for one of the institutions, University Hospitals Cleveland Medical Center, said their website “comport[s] with all applicable federal and state laws and regulatory requirements.” However, Froedtert Hospital has removed the Meta Pixel from its website “out of an abundance of caution.