chrome leaks HIPAA data?

Topic

New Reply

I support social workers using a state data portal to submit evidence of eligibility for program benefits. These are HIPAA covered transactions. My concern is that the state data portal requires the use of Google Chrome, a known purpose built data mining tool.

I have very limited resources but managed to find a utility at the Chrome store called “Content Checker”. The utility is no longer supported. It searches the contents of the Chrome cache for interesting text strings and reports SSN, emails, and other text strings.

In one case Content Checker found 19 stored SSNs! None of which were present on that form. This is a clear HIPAA violation. All attempts at deleting this storing of HIPAA data have failed. The data is persistent! Clearing the cache “from the beginning of time” has no effect on removing stored strings.

I have argued with the program developers that the easy solution to Chrome HIPAA data mining is to force all transactions onto the existing VPNs between all 100 counties in our state to the DHHS.gov system. I also recommended switching to Firefox in combination with the VPNs. The state has refused to correct these HIPAA violations.

Can HIPAA data be protected in the age of data mining? The screen shot below is not the state data portal. It is my internal data portal that reports intake v. outcome (case disposition). It may be possible that content checker is finding data similar to the strings of interest. Again, I lack meaningful resources to fully determine what is going on. I also found dozens of cached email addresses in addition to SSNs testing various web pages.

It would be great to identify a tool to dump the entire Chrome cache for analysis.

Suggestions? Discussion?

KA

1 user thanked author for this post.

Elly

Reply | Quote

Replies

You might try using the Opera browser. It is based on Chromium, so it might work. I have no idea if Google (or anyone else) does data mining via Chromium.

I would also try the Brave browser.

I fully agree with you about Chrome being a violation of HIPAA. In fact, I believe anything Google is a violation of HIPAA. I used to work at a medical school, and I was shocked to see how many PROFESSORS used Gmail and other Google products. In fact, one of our developers gave a presentation on Google Glass, as if we were going to be making it available for use by faculty and students.

I don’t believe any closed-source browser should be approved for handing HIPAA information, because no one has any way of knowing how much, if any, data mining is happening under the surface.

I suggest that you save forever any and all emails and other communication in which you expressed your concerns about Chrome (and other products) being possible violations of HIPAA. If this issue is ever addressed, you want to be protected from any legal liability that your agency has for ignoring these concerns. And be sure that any future communications are done via email or other preservable format.

Good luck. I feel your pain.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

1 user thanked author for this post.

Elly

Reply | Quote