Concerns are growing over the security of personal medical data in Switzerland, after an individual was able to access a decade’s worth of their medical records using only a seven-digit identification number and their date of birth. The incident, brought to light by a listener to the Swiss radio program “On en parle,” raises questions about whether current security measures are sufficient to protect sensitive health information and what steps patients can take to safeguard their privacy.
The listener discovered they could view their complete history of medical analyses from Unilabs, a diagnostic services provider, simply by entering their ID and date of birth on the company’s website. This ease of access prompted an investigation by the program, which highlighted the potential vulnerabilities in how medical data is protected online. The core issue centers around the question of data security in healthcare and whether a combination of an identifier and date of birth constitutes a robust enough password for accessing such sensitive information.
Unilabs Response and Legal Considerations
Unilabs defended its security protocols, stating that the combination of the unique identifier and date of birth was considered “non-guessable.” The company also cited additional security measures in place, including data encryption, secure data hosting, access monitoring with lockout features, and limited access duration. However, when questioned about the potential need for multi-factor authentication – such as a code sent via SMS or email – Unilabs explained that its current approach is “considered compliant with legal requirements.”
The company clarified that multi-factor authentication is deployed for services requiring prolonged or repeated access to medical data, but isn’t mandated by law for one-time or temporary access to imaging results. Unilabs maintains that the risk is “managed” and that patients can, upon request, completely disable online access to their records. The company added that the concerns raised have been forwarded to relevant teams for evaluation.
Expert Concerns and Regulatory Oversight
Legal and data protection experts have expressed concerns about the adequacy of the current security measures. Frédéric Erard, a professor of medical law at the University of Lausanne, stated that the practice described by the radio listener appears insufficient to protect medical data. He explained that Swiss law on data protection operates on a risk-based approach, requiring data controllers to implement appropriate measures proportional to the risks involved and to prevent unauthorized access.
“The Federal Data Protection Act adopts a risk-based approach,” Erard said. “Anyone processing personal data must adopt appropriate measures in relation to the risks and ensure that unauthorized persons cannot access this information. The protection of medical data is reinforced by the obligation of healthcare professionals and their auxiliaries to respect medical confidentiality.” He added that, without examining the system directly, a patient number combined with a date of birth seems a priori insufficient for accessing medical imaging information, as a close acquaintance could likely gain access.
The Federal Data Protection Commissioner also weighed in, emphasizing that the more sensitive the data, the more robust the security measures should be to guarantee confidentiality, integrity, and availability. However, the commissioner noted they could not assess the adequacy of specific security systems without a detailed examination.
The Broader Context of Data Security
This incident comes as data security and privacy are increasingly scrutinized globally. The ease with which the listener accessed their medical history underscores the challenges of balancing patient access to their records with the need to protect sensitive information from unauthorized access. The debate over medical data accessibility highlights the need for ongoing evaluation of security protocols and potential implementation of stronger authentication methods.
The Swiss Federal Data Protection Authority (FDPIC) recently launched a public consultation on a proposed recommendation regarding the compliance and security of medical records, signaling a broader effort to address these concerns. The consultation, now closed, sought feedback on potential improvements to data protection practices within the healthcare sector. The CNIL, France’s data protection authority, is also actively involved in setting standards for data security in healthcare.
Patients concerned about the security of their medical data can request that Unilabs, or other healthcare providers, disable online access to their records. However, experts emphasize the need for systemic improvements to ensure that all patients’ data is adequately protected. The incident serves as a reminder of the importance of robust security measures in the digital age, particularly when dealing with highly sensitive personal information.
The ongoing evaluation of security systems by Unilabs, prompted by these concerns, will be a key development to watch. Further updates on the implementation of any enhanced security measures are expected in the coming months.
What are your thoughts on the security of your medical data? Share your comments below, and please share this article with anyone who may be concerned about this crucial issue.
