Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
replygirl a day ago

it's not about the individual record, it's about correlating records. if you can sequence everything in time it gets a lot easier to deanonymize data

Macha a day ago | parent | next [-]

However, if your API has a (very common) createdAt field on these objects, the ability to get the creation time from the identifier is rather academic.

inopinatus a day ago | parent | next [-]

The concern is not limited to access of the full records. The concern extends to any incidental expression of identifiers, especially those sent via insecure side channels such as SMS or email.

In most cases this forms a compliance matter rather than an open attack vector, but it nevertheless remains that one has to answer any question along the lines "did you minimise the privacy surface?" in the negative, or at least, with a caveat.

hinkley a day ago | parent | prev [-]

And that’s why some people are rabid about “no SELECT *”.

tracker1 a day ago | parent | prev [-]

Can you provide an example of where you would legitimately have the ID for a medical record interaction, but not a date/time associated?

tyre a day ago | parent [-]

Email is not secure but sending an email with a link to "Information about your appointment" is fine. If that link goes to `/appointments/sjdhfaskfhjaksdjf`, there is no leaked data. If it goes to `/appointments/20251017lkafjdslfjalsdkjfa`, then the link itself contains PHI.

Whether creation date is PHI…I could see the argument being yes, since it correlates to medical information (when someone sought treatment, which could be when symptoms present.)

ensignavenger a day ago | parent | next [-]

Email may not be secure, but neither are faces and phones, and yet medical professionals use those all the time.

ensignavenger 16 hours ago | parent [-]

Fat fingered fax... faxes, not faces!

lazide 17 hours ago | parent | prev [-]

Notably, this is an absurd argument. Every system I’ve dealt with right now sends the date/time/location/practitioner clear text in the email (or some variant thereof).

The only thing that seems to be protected is ‘reason for appointment’, and not all systems do that.

Everyone signs paperwork to authorize this when they first engage with the medical providers!