Privacy / Security
January 12, 2010
Information Technology meets Medical: Why We Should All Be a Little Worried
Today I had what I would say was an anecdotal experience regarding data privacy.. calling my OBGYN to make my annual appointment. I ended up using their new website and giving various personal data, only to figure out that they have no privacy policy for data, that the data was going to a third party, and that in trying to make an online appointment, all I really got after sharing data was an email form to request an appointment.
So, here's the scoop.
In calling into the doctor's office, I got their voice system which has always required lots of number punching to finally get through to someone to make an appointment. It's better than 10 years ago where you could literally never talk to anyone in their offices and would just punch numbers endlessly until leaving them a message. That would be followed by a return call that you would invariably miss, having to start the process over, to get another call back.. all to just make an appointment.
Anyway, calling in today only requires two selections, before being told my call was in line to be picked up after approximately 6 minutes of estimated wait, OR I could use their online system. Whooppee! I could make an appointment using what I imagined was a calendar with available timeslots to book appointments? So here is Golden Gate Obstetrics (GGObgyn) big chance to show how they are using information technology to help people organize this process of getting an appointment better and faster!
Super cool!
Er... NOT. So. Fast.
Following the voice system at GGObgyn, I go to http://goldengateobgyn.medem.com/ which redirects me to http://www.ggobgyn.mymedfusion.com/:
The branding all over the site is "Golden Gate Obstetrics" so I'm thinking: okay, this is their site, even though it's got some other root domain name (mymedfusion.com).. in other words, Golden Gate Obstetrics is responsible for my health info, and I just need to get in to see their calendar and choose a time or something. So I go to "create an account" (Note below I've made screen shots of the *second* account I made, called 'testacct' to see what was going on a second time.. since the first time when I made an account for myself, it went by quickly and I wasn't suspicious until the end of the very end of the process):
I put in my name, SS # and DOB and email. After submitting, I was brought to this form (screenshots are in two parts as it was a longer page):
![]()
As you can see, there's enough data request there for someone to do some damage if they wanted to. At this point I was getting a little concerned about where this data was going, but keeping in mind GGObgyn's history where getting staff on the phone to make appointments is so difficult, I went ahead and submitted my data.
The screen instantly took me to a logged in state, saying "we are now your Health Record provider" which I found totally freaky. I don't want them to be my Health Record provider. I just want to schedule an appointment. All this, without requesting any sort of email verification or other checking... just gave me an account. At that point, I could go make an appointment:
To say the least, I was shocked. So I just put in all this personal information, dinked around with forms etc, to be given a glorified email form to request an appointment? With structured data about which day of the week I want the appointment? How about a calendar with available time slots? So I could just pick based upon my availability? No... it appears they are going to email me back or call me with times so we could go back and forth over schedules again, in email? Really? This is the promise of information technology for scheduling? I mean aside from the privacy issues, I really felt like I'd been had in terms of my time sink for their silly email form.
I notice there is no help or privacy statement on any of the pages in their system (and I clicked on all of them), and the "ask a question" page is all about medical stuff, not using the website. But I figure GGObgyn is responsible for this site. So I call them, and after a lengthy wait, get the appointment receptionist. And I ask, where did my data go? And she says she doesn't know, but they own the site, so therefore my data is safe.
This seemed reasonable given the interface on the GGObgyn website was so incomplete with so many important things missing (like a privacy statement as I entered in my SS # and DOB and address, etc. or even a privacy policy in the footer somewhere, or a help page, or real contact info), it had to have been done by people who don't normally develop websites.
I asked if the receptionist could give me the privacy policy, or tell me where my data had gone, and she said she would pass me to the "online manager" named Olivia. Olivia started off my telling me she sits on the system "all day long... as account requests from users to join their online system appear on my screen.. I look the patient up and put through the approval if the new user is in fact a patient."
ME: "Really? because my account approval seemed instantaneously to happen on my screen."
Olivia: "Oh yes.. I did that."
ME: "Wow.. you're fast."
Then Olivia reiterated to me that she's there literally every minute at work approving patient account requests.. because she manually approves all new accounts and also is there to pass along requests of appointments.. etc. And she was sure there was a privacy policy somewhere on the system. Her description of the account approval process sort of contradicts the fact that I could make an account called "testacct" and get right into their system without any approval but I didn't bother mentioning that. I just wanted to know where my data had gone from my first real account made with them.
After that, she could only talk about how to use the system from her perspective, not mine. In other words, Olivia had no idea what regular users face (ie, There is no privacy information, as I typed in my personal data, and no real idea other than from reading the URL in the address bar that maybe a third party was collecting my data, etc. Reading address bar URLs is something most users don't do.)
I told Olivia she literally wasn't getting the problem, because she just kept repeating to me how she uses the system (as an administrator over user accounts and for appointments where, I'm guessing, she has to be seeing an administrator version of the Medfusion system or some kind of much more powerful interface than the one regular users see when they log into the system). So she said she wanted to pass me to their office manager, Laura, who said, as she picked up the call:
"Mary, i've been listening to your call with Olivia" ... er.. okay.. no one disclosed to me that my call with Olivia was going to be monitored by others listening in. Unsettling. And possibly illegal. But whatever, that's really the least of my concerns here.
I told Laura there was no disclosure to me in advance of having a third party get my personal data.. and after Medfusion had it, I had no way of finding out what they are going to do with it.
I asked Laura about GGObgyn's ownership of Medfusion, but she replied that Golden Gate Obstetrics *did not* own Medfusion as the receptionist had told me. Instead, GGObgyn used them because they could not email "using Gmail or AOL" about appointments because that "wasn't safe." I was thinking really? Because having a website where my data just goes to third parties with no written privacy policy seems pretty unsafe.
So she explained that every page on their site (see all the screenshots and look hard for it!) have some sort of key symbol in yellow (it's not on any of the screen shots I took of the site, and I took shots of every page on their site), which if i click on the key, "will take me to their privacy policy." Okay.. so ignoring the obvious question of why they have a yellow key to signal a privacy policy (totally not intuitive from a user perspective), I look all over all the webpages that I can get to from the left side navigation, read them to Laura, and confirm that I cannot find the key.
Laura replied, "Well I can't help you anymore, because this is a waste of our time.. if you didn't want to put your information into MedFusion then you shouldn't have."
ME: "But your voice system told me to. And your name is on the website, and you aren't really disclosing that you are giving my data to a third party, MedFusion or telling me what they or you are going to do with it."
Laura: "Well, I can print the privacy policy and fax it to you."
ME: "But I don't have a fax machine. Can't you email it?"
Laura: "No.. maybe i could scan it and send it in email, but I'm not sure... and there isn't anything else I can do anyway." (It was clear she was trying to end the call.)
ME: "Er... Okay." (And then I hung up.)
A few hours later while writing this post, looking at the GGObgyn site, I noted that they added a privacy policy to the left side navigation, though that policy doesn't govern anything about what I entered into the GGObgyn site because it wasn't there when I gave my data. Medfusion and GGObgyn are under no obligation to keep my data safe or private, based on that policy.
No help or contact pages appeared afterward.
The privacy policy, which I read through, has a few issues. First, it starts off just saying "we" .. and my question is, We Who? I mean.. is it Medfusion? or GGObgyn? Me and GGObgyn together? Or someone else?
At the end of the privacy policy, it says under a section called OUR NOTICE OF PRIVACY PRACTICES:
By law, we must abide by the terms of this Notice of Privacy Practices. We reserve the right to change this notice at any time as allowed by law. If we change this Notice, the new privacy practices will apply to your health information that we already have as well as to such information that we may generate in the future. If we change our Notice of Privacy Practices, we will post the new notice in our Center, have copies available in our office and post it on our website.
So basically, they have to follow the policy, but can change their privacy policy at any time and it's retroactively applied to my old data and old terms? Well, I can see why GGObgyn wouldn't even bother having a privacy policy before because essentially, I have no rights over my data anyway.. because they can just change my rights whenever they want to suit themselves? I feel really good about my personal and medical information held by Golden Gate Obstetrics now.
And then, under COMPLAINTS:
If you think that we have not properly respected the privacy of your health information, you are free to complain to us or to the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you if you make a complaint. If you want to complain to us, send a written complaint to the contact person at the address shown at the beginning of this Notice. If you prefer, you can discuss your complaint in person or by phone.
So.. GGObgyn seriously expects me to complain to the USDoHHS? Why do we have to escalate this to a federal agency? Why can't they discuss it directly with their patients? I would rather just start by telling GGObgyn (which as you can see from the above dialog was incredibly successful, but they really ought to be open to hearing from their users about issues). In looking at the complaints section of the GGObgyn privacy policy, I note that I can contact the person listed "at the top of the privacy policy." Except, surprise! There is no one listed at the top of it. In fact, I don't even really know who "we" is in the policy language. So.. I guess I won't be contacting the "we" in this policy.
If I did want to complain about a privacy policy and questionable data usage problem, frankly I would use the Federal Trade Commission form because the FTC governs these things (see their most recent list of cases here where they go after companies that fail to protect user data and medical information, including the recent CVS case where they violated financial and medical data privacy rules). I have zero confidence that the Office of Civil Rights at the USDoHHS would even have a clue about privacy and my data on a website.
One thing.. after the GGObgyn privacy policy appeared, no one from GGObgn emailed me, or called me, to say that it was now up on their website. Of course, they have all this contact info and my name in their patient files and in their online system that Olivia who runs their website presumably could pull up very quickly and easily send me an email telling me to look at the policy.
I would also recommend that businesses like Golden Gate Obstetrics use the FTC page on Protecting their user's data and privacy which is very helpful when trying to figure out how to present privacy info on a website.
Frankly, I have no way to alert anyone at GGObgyn to this blog post, or to my thoughts on the subject, other than to call back, sit on hold, and talk with the three people I already discussed this with, who were ranged from unhelpful to hostile. Since GGObgyn doesn't seem open to discussing their websites problems and the fact that the cat is kind of out of the bag now with my data going God knows where into various company's hands, I'm posting this example of how companies, particularly *medical* entities, with no experience or understanding of information technology systems and websites need to use extreme care, and not assume that office staff trained to run a medical office has any idea what users need or will face with a website collecting personal or medical data.
I hope people at medical or other data collection companies will realize the importance of protecting user data and being straight with us about what's happening to personal and medical information. My experience is just one, but if this becomes representative of people's experience with their medical providers, we ought to be very worried.
Note: I took a look, when writing this post, at ratings for Dr. Wiggins, whom I really like and have enjoyed having as my doctor. You can see from the ratings at Health Grades that Dr. Wiggins is well liked by patients but the appointment system and her office staff.. not so much. I hope GGObrgn does an overhaul on all their office administration and website that interacts with patients before they venture further with information technology as tool for communications.
March 19, 2009
The Life of a Tweet
Twitter (and the ISchool -- or one of my poor brethern -- I have a masters from UCBerkeley's iSchool) seem to be in the tweetsphere over one ill-found tweet tossed off by a student and found by her summer internship employer likely via search.twitter.com. For background, you can see this: FattyCisco.com. The poor girl is likely humiliated and horrified over what she thought was an innocent and also, likely, a fleeting thought that didn't really reflect how she felt overall.
We've all had those momentary thoughts where when we are ambivalent, we toss something out of our mouths and once it's out there, we think, wow, that doesn't even ring true or, it did for a nanosecond, and now it's changed, or gee, that's about 5% of the way I actually feel about this. But out of mouth, truly ephemeral (unless recorded in some form) is different than written down and searchable in the grand database of the Googlezon and search at twitter. Or maybe it's just a joke.
This is one of the problems with online communities and specifically twitter:
You don't know who's listening, and because of search tools, you are findable beyond your follower list
or your "community" of known tweeters (ppl you @ with or read) unless your account is private.
I don't think we have at all sussed out what it means to tweet in the long term, or what the power of the tweet is, or where the tweet goes and what sort of life it has beyond the first few minutes or hours of it's life in the Twitter / client context.
This is another example of something that happened recently:
A PR exec going to Memphis to meet with a client, Fed Ex, insulted the client on the way to the meeting. The clients wrote a letter to the PR company and him, his bosses, and cc'd everyone at Fed Ex as well. Ooops.
The problem is, tweets go to those paying attention at the moment, those who may save tweets in clients (i leave my twitter client open and check it now and then as I have time -- right now I have 15k tweets from the past couple of days), those pivoting on a single user, those searching for key words, those looking a related conversations.
But when you tweet, in your head, you're often just thinking about those you expect to read it, like only a few your followers paying attention at the time. What happens with some tweets (some reading by some followers) is not what can happen with all tweets.
The interface and interaction at Twitter's website doesn't lead you to believe that what happens most often there will happen in incendiary examples. And different twitter clients (an android or Iphone app for example) don't lead you to understand the permanent nature of tweets, through use, that say, search.twitter.com might, as you see something you deleted appear there anyway.
It takes experience with all these different modalities to inform you because there is no advance disclosure or warning of the elasticity of a single tweet.
What is most interesting is this pushes me to think harder about what the interface of "aged information" online looks like (and I don't mean google search results that move from page 1 to page 3 over time).
And I have to ask myself what it would mean to have what Judith Donath discussed on the panel, Is Privacy Dead or Just Very Confused, moderated Saturday at SXSW by danah boyd. Judith discussed having some kind of a "mirror" for you of your digital self that would reflect all your online presentation and communications and expression... just so you might get a sense of what you show people and what you project at a moment in time. Right now it's really hard to gather that sense of yourself. Right now, you don't really see it in any sort of complete way. But others see pieces of you digitally represented at different times. It would be like re-disclosing for yourself what you've done, discovering how others view you, in slices or on the whole, in order to see the effect you have. It would probably be helpful to know what had reach and where, and what was for now at least, forgotten.
But frankly, the privacy implications of that are huge as well. So, I'm thinking. No answers on that one yet.
January 28, 2009
Happy Data Privacy Day!
Apparently, last night the US House of Representatives passed HR 31 declaring January 28, 2009 National Data Privacy Day. 402 votes in favor, none opposed. Jolynn Dellinger of Intel Corporation, working with Congressman David Price and Congressman Stearns, spearheaded the effort.
More info for today's events at The Privacy Association.
