Your Blood Work Results May Contain Too Much Sensitive Information
GDPR and Blood Test Results. Are You Sure You Know How Authorities Are Handling Your Data?
A few days ago, we found a scrap of paper outside our office in Copenhagen. It was highly visible from a distance that there were blood work results. Looking at it, it just hit us that there is simply too much personally identifiable information on those results to just leave them lying around.
But this doesn’t mean that it’s the individual’s fault for not taking care of their papers better. Anyone can make a mistake and lose or misplace a paper scrap. The system that delivers blood test results in this manner should be better.
How Much Personal Data Is Contained in Blood Work Results and Why Is It Dangerous?
To give you a clue, this is how the blood work results we found in front of our office in Copenhagen looked like. We edited the image to remove personally identifiable data, of course:
As you can see, there were plenty of fields here that contained pretty much everything there is to know about a person. This is not only a potential GDPR breach considering that all of this info is written on paper in the same place (instead of being stored separately, on a need to know basis), but also highly dangerous in the wrong hands.
A malicious hacker can use all that personal data for a wide variety of purposes, none of them in your favor, of course. From contracting bank credit in your name to issuing false papers via identity theft, from selling your personal data on the dark web to downright doxing or simply using your email address to initiate further online attacks, including credential stuffing attacks for getting into some of your more valuable accounts, there are plenty of dangerous things to be done with your personal information should it fall into the wrong hands.
How Should Authorities Handle Data from Blood Work Results Better?
It’s true that the regular individual isn’t probably aware of all the trouble a malicious hacker can make for them if they gain access to such a treasure trove of personal information. Perhaps that is also why some people can be slightly careless with their test results. That’s normal and to be expected to some degree.
But the real responsibility towards protecting your data lies with the authorities who make the rules and design the system. Data protection is something taken way more seriously since GDPR, of course, but it needs to happen for offline data as well, not just for online data.
For example, the test results could only contain the medical conclusions and the last four letters of your patient code and not everything about you written down explicitly. That personal data could be stored only in the lab’s digital data banks and accessible with the patient number.
Of course, that’s just one idea. There are plenty of other ways in which the current system can be improved towards better data protection. There is even an official collection of HIPAA guidelines for the anonymization of blood work results and patient data. But until all that is properly applied to offline documents as well, stay safe and be careful what you do with your blood work results.