Privacy Severely Exposed by Clueless Physician

Instead of my habitual ego-surfing session, I was Googling the name of someone I haven’t seen in probably twenty years. One of the few sites I got in return was a link to a binary, untyped file on a typical users.provider/nickname folder. As I didn’t immediately found info on the person (no html pages) I checked another file. One of them has a lzh extension and was quickly opened with an archive manager. As it contained a bunch of bmp pictures, I hoped to find some recent pictures of the person.

I was shocked to find those to be scanned letters between physicians about their patients.

Other files were stuff like

  • PatientFiles.dbf
  • A bunch of files ‘YYMMDD‘: a pipe-delimited file containing the agenda. 060201 till 060430. It contains hour, name of patient, address and phone number. I could phone the patients and cancel all visits for tomorrow and coming months. Or tell them their files are online.
  • A big 26MB binary file labos, probably containing laboratory results.
  • Some DOS utilities, a batch file used to sync data, log files and another bunch of diverse binary files.
  • It’s obvious this physician uses his web space at his ISP to synchronize his patient files, probably between various offices. Or would it be just a backup? I wouldn’t be suprised if this physician does not even know what happens here. He probably just clicks some batch file now and then to synchronize and is clueless about how it works.

    I obviously obfuscated all info here. The person I knew has probably nothing to do with that physician, who lives on the other side of the country. He’s just in bad luck to have a common name and surname. The file names are not the real ones, and of course don’t even think about asking me the url.

    Feel free to link to this story and spread it. I think people ought to know these things happen. Which is not to say I think this should be left as is. What would you do in this case? What would be the proper way to handle such a severe disclosure of private information? I guess warning the physician about it so he can fix this would be the first step, but I don’t really expect this would help really.