Cybersecurity and PII/PHI

They call it PII/PHI for a reason

by Charles Parker

When a company collects your data, there are a few ground rules to follow. The general

guidance is to only collect what you need. If there’s not a legitimate business need for the data,

don’t collect it. The data being collected should be used for a limited use and scope. When a

business steps out of line and uses data for an inappropriate or not approved use, there are

issues.

For instance, if you collect data for billing and for therapy, but use it instead for

marketing, there are probably going to be issues. For instance, Cerebral elected to use or

disclose personal data for their advertising. Cerebral, a mental telehealth company, due to the

issue was ordered by the FTC to stop this activity and was fined $7M. In essence, Cerebral

provided third parties user’s sensitive personal health data and information to be used for their

advertising. The company also did not follow its easy cancellation policies.

When Cerebral clients signed up for the services, they agreed to certain things, such as

their information being collected for therapeutic services, not for marketing. The company

claimed their services were safe, secure, and discreet. This enticed the clients to provide their

personal data. The issue arose with this point. The FTC alleged the company did not inform

consumers their data would be shared with third parties for advertising. It appears the company

claimed it would ask for consent prior to sharing the user’s data.

The oversight affected nearly 3.2M consumers as their data was provided to LinkedIn,

SnapChat, and TikTok. The data provided included the user’s names, medical and prescription

histories, home addresses, email addresses, phone numbers, birthdates, demographic

information, IP addresses, pharmacy information, health insurance information, and other health

information. Altogether, this information provides a rather thorough file on the nearly 3.2M

consumers.

There were other issues such as the company being accused of not enforcing adequate

security measures with the data (e.g., former employees being allowed to access the records).

This is a genuine point to learn from. Don’t collect data you don’t need to, when you are

entrusted with the data don’t allow third parties access without clear consent, and actually

safeguarding the data and not just checking the box.

About the author-

Charles Parker II has been working in the info sec field for over a decade, in the banking,

 medical, automotive, and staffing industries. Charles has matriculated and attained the MBA,

 MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security

 (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and

 SCADA.