Google Will Now Hide Personal Medical Records From Search Results (betanews.com) 34
Mark Wilson, writing for BetaNews: Google has updated its search policies without any sort of fanfare. The search engine now "may remove" -- in addition to existing categories of information -- "confidential, personal medical records of private people" from search results. That such information was not already obscured from search results may well come as something of a surprise to many people. The change has been confirmed by Google, although the company has not issued any form of announcement about it.
Plugging leaks. (Score:1)
That's nice. Now send notices to all the leaks.
Am I The Only One... (Score:2)
Hiding results is all fine, but... (Score:4, Interesting)
But do they still index and keep copies of it in house? (I bet real money they do.)
About damn time. (Score:1)
Better Question (Score:5, Insightful)
Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?
Re: (Score:3)
Re: (Score:2)
Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?
Because there are no penalties for shitty security.
Re:Better Question (Score:4, Interesting)
Better question: Why are such records stored on servers sufficiently accessible that Google can index them in the first place?
Because there are no penalties for shitty security.
Maybe, maybe not. In the USA, the HIPAA acts governs how medical providers and affiliates are required to deal with PHI (protected health information). There are indeed significant penalties associated with disclosure of PHI, and there is no exemption for malware or other bad actors. Even more alarming for the healthcare industry, HIPAA includes *personal* liability, not just corporate liability (http://managedhealthcareexecutive.modernmedicine.com/managed-healthcare-executive/content/tags/hipaa/hipaa-rule-makes-you-personally-liable), so PHI security is taken very seriously.
But HIPAA doesn't govern what I can do with my own medical records - if I want to post them on a publicly accessible website that is just fine. And since records are required as input to all sorts of medical research and software development projects, anonymized and pseudonymized data is everywhere. I have personally seen CT studies claiming to be for Frodo Baggins, Meriadoc Brandybuck, and Daffy Duck. Those are not PHI and are not an issue under HIPAA, but I don't know whether or not Google would be smart enough to recognize these as not actual medical records.
Re: (Score:2)
In practice HIPAA is rarely used against "bad actors". In just about every single hospital encounter my family has been involved with HIPAA was violated multiple times by doctors and nurses (multiple different patients, different doctors, different hospitals). Some of the breaches family members cared about, others were "harmless" but violations nonetheless.
When I referenced "bad actors", I meant that the health system is not absolved of responsibility if they get hacked - it is still a breach, and they are still liable. The bad actors who committed the breach would be liable under other laws like CFAA, but didn't have the duty to safeguard PHI in the first place.
Sorry to hear about your experiences with HIPAA violations. I work with the IT groups of hospital systems, and those people are terrified of HIPAA violations. There are pretty broad exceptions to H
Re: (Score:2)
But more likely, they would violate the reporters instead.
All of which gives me a great product idea. (Score:2)
A better public service... (Score:2)
Better idea: (Score:2)