How much data do you need to identify a person? According to a new MIT study, bare metadata can paint a surprisingly personal portrait of each of us. When researchers analyzed the anonymous credit card transactions of 1.1 million people, they found that it was possible to identify the unique purchasing patterns of more than 90 percent of subjects with only four pieces of data, such as timing or location. This is information that many individuals willingly expose through social media.
After identifying a purchasing pattern, analysts were able to find the name of individual consumers by studying data from Linkedin, Facebook and Twitter profiles, as well as apps such as Foursquare that people use to publicly “check in” to a location at an also publicly-disclosed time. With nothing but a simple data set, analysts were also able to isolate other personal identifiers such as gender and income bracket.The increasing use of mobile health apps, specifically those that can transmit data to a provider’s web portal, puts patients’ protected health information at risk of being accessed by cyber criminals. HIPAA protects some types of data, but the MIT study shows that information such as when patients log in to a patient portal and from where, along with identifying information that’s transmitted from a health app, may be enough for cyber criminals to commit identity fraud.
According to Reuters, medical information is worth 10 times more than credit card numbers on the black market, and cyber criminals are progressively turning their attention to the $3 trillion U.S. healthcare industry. While credit cards can be canceled as soon as banks detect fraud, medical identity theft takes much longer to detect and deal with.
Healthcare organizations should be aware of this as they implement new technologies. In addition to performing regular HIPAA compliance audits, hospitals and medical practices should ensure that data security features that protect even the most minute details of patient data are built into all digital health tools.