Terms of Service (TOS) Under Scrutiny - Part VII - Pharmacies in the Age of "Online" and "App" and "Gimme Dat!"
In the last part (Terms of Service (TOS) Under Scrutiny - Part VI - TVs That Transmit Personal Data Everywhere, Sometimes by 'Accident') we dealt with "modern" TVs that come with "apps" (for remote controls on so-called 'smart' 'phones'), transmit loads of data to surveillance companies, don't last very long (designed not to last), and generally suck in almost every imaginable way. When I was a kid we still had TV sets from the 60s. Now? We have so-called 'smart' TVs that won't even work some years down the line, even if not due to any mechanical fault but the crooked Linux Foundation deciding to revoke an "old" root certificate. Welcome to a universe of wasteful, greed-driven planned obsolescence (stop being poor). Did you agree to that? Yes, you probably consented to some TOS after you unpacked the darn thing and powered up the appliance the first time around. You read all that text, right? No, you didn't! You rushed through to using what you had already paid for (before bothering to read that TOS).
Today we talk about pharmacies. Or rather, we defer to one who recently did. She explained what pharmacies in the "modern" era are like and how they deal with personal (very sensitive) data. I went to a pharmacy just about 15 hours ago (physically) and they seem adamant on managing data (e.g. requests) over unencrypted E-mail. Worse yet, some pharmacies would not accept or trust anything that isn't Microsoft (Hotmail), Google (GMail) or Apple. Crazy, isn't it? This is in the UK! Those companies are not even British! A travesty.
Anyway, regarding pharmacies, this is what the presentation covered:
CVS, Kroger and Rite Aid Hand over Health info to local law enforcement - no due process
Rite Aid, CVS and Kroger pharmacies turned over patient data without a warrant.
According to the article, a Congressional investigation uncovered pharmacy staff sharing medical data with law enforcement to the tune of 60,000 combined stores.
A letter showing findings and requesting strengthening the HIPPA regulations.According to the letter, pharmacies reported receiving 10s of thousands of demands anually for pharmacy records. All pharmacies surveyed, which included Amazon, Cigna, Optum Rx, Walmart and Walgreens stated they do not require a warrant to share records unless the law requires.
"Those pharmacies will turn medical records over in response to a mere subpoena, which often do not have to be reviewed or signed by a judge prior to being issued. To justify this low standard of protection, several pharmacies cited language in HHS regulations that allow healthcare providers to disclose such records if it is required by law, pursuant to legal process, or pursuant to an administrative request. HIPAA gives discretion to HHS via regulation to determine the standard of legal process that will govern disclosure of medical records, which means HHS can revisit and strengthen the minimum bar set in the current regulations to require a warrant."
"We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans’ reasonable expectations of privacy and Constitutional principles."
- Senate HHS pharmacy surveillance letter
So, perhaps inadvertently what we have here is pharmacies as informants. How did we get here?
We'll cover more in the next part and later on in the series we'll give some examples █