This Week in Data Breaches: Google's Secret Medical Data Harvesting Project
Welcome to our round-up of the latest data breaches, leaks, and privacy intrusions from around the world. This week: revelations of a secret data harvesting operation at Google, a data breach at Veritas, and an update on the Equifax breach settlement.
Google’s Secret Project Nightingale Harvesting Massive Amounts of Medical Data
Earlier this week, the Wall Street Journal reported that Google has been amassing a secret cache of personal medical data on up to 50 million Americans. The secret data harvesting operation, code-named Project Nightingale, has been gathering information from America’s second largest healthcare provider Ascension. “The Medical data of millions of Americans is at risk,” warned the anonymous whistleblower in a statement published in the Guardian on Thursday.
The data is “transferred with full personal details including name and medical history and can be accessed by Google staff” and “is to be by far the largest data transfer of its kind so far in the healthcare field,'' reported the Guardian. In an interview with the whistleblower who published hundreds of confidential documents on Project Nightingale, they said that many employees within Google and Ascension expressed concern about the transfer of data, which eventually led the whistleblower to come forward.
Combined with other personal information collected by Google, including prescriptions, search history, and fitness data, the latter made possible by Google’s acquisition of FitBit earlier this month, the company holds a massive cache of data with deep insight into the medical history of its users, many of whom are unaware of its existence. Unlike most health information used for research, the data has not been anonymized and is tied directly to patients’ real identities. The Project Nightingale data includes names, addresses, dates of birth, medical conditions, lab records, and hospitalization history.
Google’s secret medical data harvesting raises serious concerns about how the company will use the data, such as the use of AI and machine learning to predict health outcomes, and what it means for patients’ privacy. The Atlantic points out that Project Nightingale is “totally creepy” yet “totally legal”. Google and Ascension both released statements maintaining that the project is in full compliance with HIPAA and other privacy regulations. The fact that so much sensitive data could be transferred without the knowledge nor the consent of patients is deeply alarming and will only exacerbate fears that tech giants have amassed far too much data on users.
Genetic Testing Company Veritas Discloses Data Breach
If you’re concerned about the collection and sharing of your medical data, you can add security of that data to your list of concerns as well. Last week, Veritas Genetics, a consumer genome sequencing company, disclosed a data breach that resulted in unauthorized access to customer information. Although the company said that the breached portal did not contain test results and health records, it declined to provide details on exactly what information was exposed nor how many customers were affected.
“The security and privacy of customer information is a top priority, and we have security processes and procedures in place as part of this commitment, including segregating and secure genomic data on separate systems,” Veritas said in a statement. Veritas competes with other consumer genetic testing companies such as 23andMe and Ancestry.com, billing itself as the only company that offers whole genome sequencing.
While the company declined to disclose how many customers were affected, in July it announced that it had sequenced 5,000 genomes and was on track to sequence 150,000 per year by 2021. Given just how sensitive genetic data is, and the philosophical questions that revolve around it, concerns about the privacy and security of DNA testing have grown in recent years. A breach at one of these companies, even if genetic data was not exposed, is sure to only heighten those worries.
Equifax Data Breach Settlement Update
Equifax, one of the big three US credit bureaus, settled with the Federal Trade Commission (FTC) in July for at $650 million over the company’s 2017 data breach in which the personal and financial information of 147 million people was stolen.
In July, we put together a guide on everything you need to know about the settlement and how to claim your benefits. Initially, consumers were told that they they could choose between ten years of free identity monitoring or a $125 cash payment.
Since then, both Equifax and the FTC have done a bit of backsliding, tempering expectations about what compensation consumers can expect and attempting to steer affected individuals towards identity monitoring instead of the cash payment.
As the EFF noted at the time, “The $125 payments would come from a $31 million fund, meaning that if all 147 million victims chose the payment, each person’s payment would be reduced on a pro rata basis to as little as 21 cents each.” The FTC later echoed this sentiment.
To throw another wrench in the gears, the settlement administrator then sent out an email to claimants who opted for the cash payment requiring them to affirm that they already had identity monitoring or otherwise lose out on the payment if they failed to do so.
With that being said, we strongly recommend anyone who has filed a claim for cash payment to check for and respond to the Equifax settlement administrator’s email. While it is possible that you may not receive the full $125, less compensation is better than no compensation at all.
Companies that collect and store personal information should be fully held to account if they fail to protect it. It is unfortunate that Equifax and the FTC have thrown up additional barriers for victims of Equifax’s negligence to receive compensation. The Equifax breach settlement and it’s handling has been far from adequate in protecting consumers and properly compensating them from the harm that resulted from the Equifax brach.
The good news is that with so many settlement claimants, consumers have sent a clear message to policymakers and corporations that they expect their data to be protected and to pay up when to fail to do so. If you haven’t yet filed a claim, you still have until 22 January 2020 to do so. Click here to check if you're eligible and file a claim today.
Tip of the Week
We hear from readers all the time who want to know how they can themselves online amid all of these data breaches. Knowing where to start can be difficult, so each week we will be sharing a new tip to help you safeguard your data and protect your privacy online. Last week’s tip: sign-up for free data breach monitoring with Bloom Radar.
This week, review and monitor your credit.
By monitoring your credit reports for suspicious changes or new accounts, you can quickly identify fraudulent activity when it occurs and take steps to mitigate the damage.
There are a variety of ways that you can monitor your credit for free, from obtaining free credit reports directly from the credit bureaus a few times throughout the year to using a free credit monitoring service.
Here a few ways that you can easily monitor your credit for suspicious activity for free:
- Current Lenders: Many credit card companies provide free credit monitoring services to their cardmembers, often available from their mobile apps, so check with your credit card company to see what credit monitoring services they offer.
- Directly from the Bureaus: You can request one free credit report per bureau, per year from AnnualCreditReport.com. To make the most out of these free reports, try spreading out your requests to every four months so that you can check your credit throughout the year.
- Free Credit Monitoring Services: You can also use a free credit monitoring service that helps you track your credit over time and alerts you to any new changes on your credit reports. In general, you should avoid services that charge a monthly fee, which can add up over time. Also, make sure when choosing a service that the company is transparent about their privacy and security practices.
If you notice activity on your credit report that may be fraudulent, the faster you act the greater the chance you can minimize the damage. If you know or suspect you have been a victim of identity theft:
- File an identity theft report with FTC at IdentityTheft.gov or call the FTC Identity Theft Hotline at 1-877-438-4338
- Request that a fraud alert be placed on your credit file with one of the three major credit bureaus
- Contact the fraud department at your bank, credit card company, and any other financial institution that you have an account with to report unauthorized charges or close fraudulent accounts
Make sure to also check out our in-depth security and privacy guides:
Bloom: Take Back Control of Your Data
At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.
It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!