from Hacker News

Ask HN: How bad is this survey's security?

by stevedt on 1/10/17, 7:44 PM with 1 comments

I am a participant in a longitudinal study.

Periodically I am asked to answer questions in an online survey that:

  - verifies my info (address, phone, email)
  - verifies my contacts (name, address, phone, email)
  - asks about recent doctor visits, prescriptions, hospitalizations, etc.

The login credentials are:

  - login=email
  - password=date of birth

But it gets worse: you can login to a partially completed survey and information previously entered has been saved.

I know this is terrible from a vanilla compsec standpoint; but isn't this information covered by HIPAA? What can I tell this organization to get them to understand the severity of this?

by PerfectElement on 1/11/17, 2:38 AM
If they are a Covered Entity or a Business Associate then they should definitely comply with HIPAA[1].
Even though I don't remember if the Security Rule specifically covers this stupid scenario, I think they would be found in violation if audited. They clearly have not performed a risk analysis, which by itself is a violation.
[1]https://privacyruleandresearch.nih.gov/pr_06.asp