A few years ago I was involved in developing an image database for the medical industry. It was mostly used by skin doctors. I remember having to test and analyze errors in the software by debugging and clicking through real databases sent in by our customers. I was exposed to both images, and highly sensitive medical information as well as identifying information such as names and addresses of patients. Some of these images included naked full body images (used for tracking new moles over time) of both adults and children as well as close-ups including genitalia, usually with medical ailments such as sexually transmitted diseases. Once again, not just of adults. I remember discussing whether there was some way to improve the software so that we could protect people’s privacy (I did not know much about the privacy laws at the time, but was certain that doctors should have insisted on NOT sending us such databases) but this was not prioritized at the time. Some of these databases came from the town I lived in, and the summary list contained surnames I recognized so I decided not to analyze this database. The experience made me concerned about my own privacy in connection with the medical industry. Thankfully I don’t have any interesting items in my medical history, but it is disturbing to know that if I did, the industry would not take my rights or the law as seriously as they should. This was one of, but not the major, reason why I decided to leave this company.
The last time I went to my current doctor for a regular checkup I sat in and waited for him.The screen on his desktop was only slightly angled towards his side, so I was once again confronted with sensitive information that I knew was legally protected.
Today I came back from getting a vaccination. I was asked to sit in the lab for about 5 minutes and wait. Once again was the same screen I saw at my previous visit. The top panel contained the name, address and medical insurance information of a patient, and the bottom panel contained the current relevant medical details about the patient including existing conditions, medications, reasons for visits, and personal observations. Once again, I felt bad for the patient, but also bad that someone else might get to see my (fortunately boring) medical history.
The EUs Data Protection Directive allows businesses to collect this information, but obliges them to prevent such data from being exposed to unauthorized third parties without consent.
I mentioned this to both employees, and got disturbingly dismissive answers such as “yeah unfortunately we just do not have the room”, to my comment “you know this is illegal right”. I mentioned to the other employee that it would probably be ok to lock the screen or switch it off every time you leave the room, but she didn’t know if that was possible and blamed it on patients that make an appointment but never turn up.
I am not a lawyer but as far as I know medical data is especially protected. I don’t know if this means jail time for the doctors, nurses and receptionists involved, or just a financial slap on the hand, but I would be interested in knowing.
This is not a name and shame post, as the problem is certainly widespread, but I think the medical industry should definitely consider this a shame post. From what I know in the financial services industry, they take such matters much more seriously. This is probably because banks etc have a very long relationship with the IT industry, who seem to be taking the lead in helping customers implement privacy control, but the medical industry seems to have always felt less comfortable with IT in general and possibly hasn’t been exposed to such ideas as much.
Part of me however thinks I probably should report this. I don’t know. If this is a jailable offence it is probably just as bad to ignore it as any murder or rape. If it is merely a fineable offence, then I would rather stay out of any direct involvement.
The lesson for me is probably just be very careful about how willing I should be to let my doctor be involved any sensitive medical issues, without specific provable assurances that my privacy will be protected. If that makes it sound like I don’t trust them, then that is because I unfortunately cannot. I don’t think you should either, not at the moment at least.