The history of privacy is not easy to explain. The value of the concept of privacy is murky, has never been settled, and lacks a robust field of scholarship that we could draw from to make posts like this easier. Excellent writings can be found that explain privacy as an economic good individuals can exchange, a means for authoritarians to more easily exert rule, and also a fundamental human right.
Medical records are considered private information. Partly this is the legacy of World War II and their weaponization as a tool of genocide. It also stems from the focus on privacy that began in the mid-1970's once the abuses of data by the domestic intelligence agencies in the west began to be fully understood.
Medical scans are some of the most detailed and intimate photographs a person will ever have taken of themselves. Very often these are in 3D, enhanced with high powered magnets, and sharpened with traces of radiation injected into the body just before capture. Medical records, as simple text documents, can tell if a person will live or die, or if they have a disease that if known would render them shamed in society. Much more can be discerned by having accessing to a person's genome sequencing data, contraceptive prescriptions, allergy tests, etc.
This brings us to our first point.
Medical Data is Valuable:
The last one concerns us the most. If the medical data for a majority of a country could be acquired, it would be very feasible to build a weapon that only targeted members of the predominant ethnic groups and genetic clusters in that country. Because we know that immunity is often based on when one is born and the generation to which one belongs, one can go further and assume that a weapon could be built that would only target children or perhaps adults age 20-40.
Significant US Medical Data is Exposed:
After the CCPA went into effect in January of this year, 12 Security was asked to look into certain instances where DMVs and Travel Companies appeared to be exposing large amounts of government ID data. We were also asked to look into medical data, but that is tricky as under the CCPA things like biometrics, and 3rd party use for research purposes, all come into play and can nullify a plaintiff's claim.
Ultimately we wound up developing a good understanding of just how much medical data is being exposed in California. We can extrapolate from here to the rest of the United States, and our estimate is still likely conservative as the technical skill level in CA is quite high. This also means the bar for being exposed is inversely quite low. Either way the numbers we have are:
- 500,000+ individuals have medical records exposed in the US
- Perhaps 30,000,000+ in the entire US
And the conclusion we come to is:
The most likely reason for this level of data exposure is someone is purposely leaving these servers open.