Join 3,520 readers in helping fund MetaFilter (Hide)


Unencrypted data violation
March 30, 2011 9:51 AM   Subscribe

Insurance data is unencrypted. Should this be reported? How?

The insurance management company that handles our plans has a website for administration. This website is where the reports are located along with plan information. There is a section to upload files for forms or other information necessary in managing insurance/FSA/HSA plans. This information would include social security numbers, names, birth dates, addresses, etc.

This website is not encrypted as far as I can tell (HTTP:// address, no padlock to click on for an SSL certificate) - not even for the uploading of files.

Do I report them for this? How and to whom? Thanks in advance.

Let's say the states affected are Minnesota, Iowa, and Missouri. Let's also say that customer service doesn't seem to see the problem.
posted by anonymous to Law & Government (10 answers total)
 
They may well be in violation of HIPAA. Call your state's insurance commissioner's office.
posted by rtha at 10:00 AM on March 30, 2011


Hell yeah, call the state insurance commissioner's office!
posted by small_ruminant at 10:06 AM on March 30, 2011


Here's a form you can use to complain about HIPAA violations.
posted by deadmessenger at 10:31 AM on March 30, 2011 [1 favorite]


Are you sure it's actually a risk? Can you download files?
posted by anti social order at 10:36 AM on March 30, 2011


Based on what you said, it's not 100 percent certain that the uploaded data isn't being encrypted.

You might check the URL that the form POSTs to. The file may actually upload over SSL even though the initial form is served over plain http. A quick examination of the html source should tell you that. If the forms are posting to an unencrypted URL, your data is getting exposed.

If you can actually download the data (as anti social order is asking) from an unencrypted link, then your data is being exposed.

If either of the two above cases are true, you really should report this (as directed above). These cases are particularly dangerous if anyone from your company access these links over unencrypted wifi connections.

Even if neither of the above cases match, it sounds like there still could be a risk of your session getting hijacked. In this case the amount of damage that could be done is hard to asses. I would escalate with the insurance company itself first, if this is the only issue.
posted by NormieP at 10:57 AM on March 30, 2011


Before you report them for a HIPAA violation, wouldn't it be better to bring their attention to the problem (and I don't mean just customer service)? Especially since, as NormieP indicates, you might be wrong? It seems like people often just want to get someone in trouble, when the primary concern should be the result -- i.e., encrypted information -- which might happen more quickly if you make someone aware of the problem. If you raise this to a high level and still get blown off, then you could always "alert the authorities."
posted by pardonyou? at 12:06 PM on March 30, 2011 [1 favorite]


You might check the URL that the form POSTs to. The file may actually upload over SSL even though the initial form is served over plain http. A quick examination of the html source should tell you that. If the forms are posting to an unencrypted URL, your data is getting exposed.

Please note that this is still a bad practice and a security risk because the form action is being delivered over HTTP, and therefore subject to alteration in transit, i.e., by rewriting the form action to post to a different URL to capture the data. There's no excuse for this.

You should report it and discontinue using the site until it's fixed.
posted by odinsdream at 1:11 PM on March 30, 2011


Run with Fiddler to verify http vs https.
http://www.fiddler2.com/fiddler2/
posted by jeffamaphone at 2:50 PM on March 30, 2011


This kind of falls into the "my neighbor is being loud so I'll just call the police" versus "I'll go ask him to turn it down" argument that pops up occasionally here.

I would ABSOLUTELY contact the company FIRST and then, if you get blown off, pursue with the complaint. If it's actually happening, maybe it's an accident and their IT crew can fix it in a few minutes or hours, versus days the other method...

And if you DO file a complaint, what's the benefit to you in the end if it takes longer to fix it because they've gotta come up on some list of violators to contact before they're even made aware of it? Are they gonna get shut down? Do you get some kind of prize for turning them in?

Seriously, give them a chance to show you some customer service, then do the complaint.
posted by TomMelee at 5:24 PM on March 30, 2011


It might be that the actual upload is secured in some manner. There's no reward for busting them. Write or call them to express your concerns. If you end up complaining, call the Insurance Commission for your state, found on the state's attorney general's website.
posted by theora55 at 4:34 PM on March 31, 2011


« Older Mysterious bloody mucous blobs...   |  I need to buy a blue blazer in... Newer »
This thread is closed to new comments.