'Uber for nurses' exposes 86K+ medical records, PII via open S3 bucket

Isn't this exactly what you'd expect from an Uber for (somethign)?

Garbage company, garbage culture, garbage business model.

Several of my family members were or have been nurses for decades and your wife’s experience mirrors the experiences I’ve seen from that distance.

And I’ve heard “it used to be so much worse”.

The American healthcare system is fairly well broken from virtually every angle.

I think I heard the same Podcast - not only do the Apps try and discover the minimum rate a Nurse might take, they’ll actively attempt to manipulate the circumstances of Nurses who were in a strong position so they too end up more dependent and exploitable.

Thanks. This is definitely the source I was referring to.

However, as it applies to my parent comment, the companies mentioned were: Shiftkey, Shiftmed and Carerev. I do not see ENSHYFT mentioned, so I stand corrected.

This was my thought exactly. There is a giant nursing shortage. I know some nurses who are traveling nurses and they may bank, and they don't need any BS app. (Just want to emphasize, nursing is an incredibly difficult job at the moment, but there are also currently weird dynamics where traveling nurses can actually make a lot more than "stationary" nurses).

Thus, I'm led to believe that nurses using this app have to have some sort of difficulty finding jobs for other reasons, or they're just not informed about their options.

You can get paid more as a contractor than an employee.

Some may just want to pick up casual shifts without any obligation on top of their full-time work. This is kinda double dipping because your full time work is paying your benefits, so why work overtime at time and a half for them when you can get 2x+ somewhere else with + pay in lieu of benefits?

Big orgs don’t want to deal with 1000 different individual contractors (especially if it means taking potential misclassification of employee as a contractor) risk.

I think the bigger issue is the myth of nurse fungibility. A rando nurse unfamiliar with your setup/org is unlikely to be very productive.

What's interesting is that broadly speaking, people acknowledge that negotiating with asymmetric information is immortal or wrong. Take the stock market for example, insider trading is illegal and you don't often hear calls to reverse these laws.

But when it comes to private markets and semi-private negotiations that same sentiment doesn't easily transfer. Does society benefit in some unique way for allowing asymmetries in labor negotiations, private markets like Uber, or B2C relations like Robinhood (1,2)?

1. https://www.sec.gov/newsroom/press-releases/2020-321 2. Note, Robinhood was fined not for front-runniny customers, just for falsely claiming customers received quality orders. I suspect theyve only stopped the latter behavior.

It's definitely shady, but it's par for the course. Uber charges you more if you have more gift cards loaded, or just spend more on average in general. You charge what the market will bear.

It's amazing that, on a cursory look, only 11 states make this practice illegal. The "AI scriptown" is growing.

Game theory transcends basic humanity.

You might be surprised to learn that they're not the only company to do so.

At scale, the corner cases don't really matter. In aggregate, if it's decently well correlated and readily available, it's probably going to be used.

I can't find it now, but I believe LexisNexis or another large similar reporting/data agency had a product catalog of dozens of products that spit out values for ability to pay, disposable income monthly, annual income, etc.

It makes you feel awful thinking about the direction things are headed. Corporations approaching omniscient regarding all facts of our lives that are reasonably of value to them.

Agreed. And it's not just those -- if you need to pay off debt, you're extra-incentivized to take the highest-paying job, as opposed to one that pays less but is e.g. closer to home, or has a more predictable schedule, or whatever.

The idea that you'd offer less seems... counterproductive to say the least.

> Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant.

You seem to imply using GMail is a bad thing? I think GMail, when appropriately configured to handle PHI, is probably a million times more secure than some crappy bespoke "enterprise" app.

> At a high level, "covered entities" are health care providers that accept insurance or insurers. That's right, there's a massive caveat on "accepts insurance". You can be a healthcare provider and do not have to comply with HIPAA if you don't accept insurance.

Again, HIPAA continues to be the most colloquially misunderstood law out there.

The rule that makes providers "covered entities" isn't really about insurance, it's about whether they transmit specific HIPAA "transactions" electronically. Now, yes, most of these transactions having to do with providers are thing like claim submissions or pre-authorizations to insurance. But there are other reasons a provider may need/want to send a HIPAA transaction electronically.

My point is that there isn't some sort of "loophole" where providers that don't accept insurance are somehow being sneaky. The whole point of the HIPAA security rule is to protect PHI when it is transferred around to different entities in the healthcare system. If the information is going just between you and your doctor, HIPAA isn't relevant, and that is by design.

If you partner with a healthcare provider to provide any sort of technical services, you will be required to sign a BAA (Business Associates Agreement), which makes you similarly liable to the HIPAA & HITECH acts.

The PII of the nurses being accidentally shared by a staffing agency isn't a HIPAA violation. Yes the nurses are providers but their relationship with the Uber for nurses service isn't a medical provider relationship. It's definitely a legal and ethical failing but I don't think it's a HIPAA one.

I'm confused because the article lays it out by the 4th paragraph, and you have the right understanding, up until "we're a startup"

Maybe you think the startup maintains patient records?

The article lays out the nurses uploaded them, the provider. This is a temp booking system. The health records were uploaded by the nurses to communicate reasons for absences to their employee and weren't required or requested

They have as much responsibility as Dropbox does. Nurses shouldn't have uploaded them.

HIPAA has strict rules with severe penalties, but enforcement is at best spotty. So honest hospitals and doctors offices bend over backwards to comply with the rules at great expense, but bad actors are rarely punished. It's the worst of both worlds. I'm pretty sure that is why the punishments are so harsh, because they need to put the fear of god into practitioners to make them take it seriously since there are so few inspectors.

Perhaps true, but the strongest privacy protections in the US are still pretty weak. The biggest penalty I know of is Anthem 2018, where they leaked HIPAA-qualifying records on 80 million customers. Their financial penalty was a whopping... $16 million. Two dimes per affected customer!

HIPAA was designed for portability -- the 'p' standards for portability not privacy -- of health info, so there are immense carve outs in service of that objective. Fines for violating HIPAA are almost non-existent.

HIPAA is wildly misunderstood by the public as a strong safeguard, meanwhile medical offices just get any patient (a captive audience) to sign a release waiver as part of patient intake ...

How many healthcare providers do you know personally who have faced severe penalties for leaking information?

The reality is that for a small doctor/dental/whatever office, there is essentially 0 risk. HIPAA violations that carry significant penalties go to huge hospitals and healthcare companies.

Your neighborhood doctor has to screw up in a major way for an extended period of time to have a minute risk of any consequence.

Eh.

Last year the total HIPAA violations fines were less than $9.2 million.

A figure I could find for hospital revenue in the same year which is a good enough proxy for fines vs revenue is about $1.2 trillion.

Which rounding because who cares comes to 0.001% of medical revenue ends up being paid for HIPAA violation fines.

Or the equivalent ratio of about a cup of coffee for a typical enough person per year.

HIPAA needs teeth, what it says you're supposed to do is quite strong, the enforcement of it is pathetic.

PCI-DSS is the strongest, HIPAA is just a rubber stamp

Only the young and inexperienced believe the law is enforced when it matters.

And yet the data still seems to leak pretty frequently...

I've never had that happen (sample size ~5). They accept non-citizen patients, so they probably don't make SSN a required field.

(for SSN, never tried to prevent scanning of my ID)

Find a new provider. I have gone 2 decades without providing my SSN to doctors.

In my experience, no one has ever asked it when booking, just when you fill out forms on your first visit. I always leave it blank (and most other things that don't pertain to my healthcare issue) blank and have never been hassled.

I also always ask for a paper copy of the disclosures to sign, saying that "I don't sign blank checks" when asked to sign the electric pad. I've never had an issue with them printing it out, letting me sign, and them scanning it in.

Healthcare "security"/"authentication" is just "protected" by your name and date of birth which is easily discovered for anyone online.

You can just use my SSN: 123-45-6789.

[dead]

Please invest in my startup, ENSHITIFY

> S3 buckets should be private and encrypted by default and devs should need to actively choose to switch those things off

Yeah, that's the case right now. There's multiple screens you have to go to, that almost scream at you that you're making EVERYTHING PUBLIC. Also, in the overview, it distinctly says "!! PUBLIC".

This is like having a small store and instead of locking up at the end of the day, blaming the door for not automatically locking. Yes new automatic locks exist now, but you still need to check.

Cloud technology allows us to build fantastic software very fast. But if you’re too lazy to implement a basic api to get S3 data on a needs to know basis, that’s on you.

AWS makes this very easy. You can’t blame anyone else.

Do not disagree here. As long as it is on the CEO and head on eng. No some poor intern.

HR likely deals with health info related to disability or fmla claims, or work-related injuries that is shared with health care providers and/or insurance companies; this makes them a covered entity subject to the requirements under hipaa.

Protected health information (PHI) under U.S. law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

source: i run Wyndly (YC W21 https://www.wyndly.com), which is most easily understood as a telehealth allergist online.

It considers non-health-specific identifying info about patients that might be stored with the health-specific info to also be PHI.