Concerned about unencrypted medical data in emails

[CharlieOneSix]

My excellent local GP Surgery, like many others, uses a company called GenPra to design and host its website. It has a https address, the SSL Certificate shows it is valid and the encryption is (AES-GCM, 256 bit keys, TLS 1.2).

One part of the site allows me to order my repeat prescriptions online and these orders appear to be sent encrypted from the Surgery website to GenPra.

It then appears that GenPra forward the request to the Surgery using a plain language unencrypted email. The Surgery has its own dispensing pharmacy and they then forward that email to me within their own plain language email confirming they have received the request and informing me it will be ready for collection in two days.

This is what the email from GenPra to the Surgery – and then onwards to me – looks like:
.

prescription.JPG (84.48 KiB) Viewed 345 times

I am a little unhappy that information which is sent encrypted to GenPra then appears to be sent unencrypted in plain language to the Surgery which in turn forward it in plain language to me. There is really no need for the Surgery to forward GenPra's email to me as I have a record of it under my login to the Surgery's website.

As you can see it has a lot of personal information about me – name, date of birth, ex-directory phone number, medication, none of which - apart from my name - I would put in a plain language email.

Before I go off with all guns blazing, what does the team think? Am I worrying over nothing about GenPra's plain language emails or should I take this up with the Practice Manager at the Surgery? It does seem to me to show a total lack of care with my personal data.

[llondel]

The email is probably transmitted in encrypted form, TLS/SSL is common for such things, but you have no way of knowing that unless you can monitor it in transit. However, it's probably stored in unencrypted form at each end.

[OFSO]

Hmmm. I pay cash and then submit a claim on my insurers website. When the claim is settled I get an email with no details, just telling me to go to the website to see my latest claim. The reimbursement arrives in my a/c with no details of what it's for. IMHO this is the way it should be. I think, Charlie, that at one extreme your case contravenes data protection law and is, at the other, way below "best practice". But hell, the authorities can - and most likely do - intercept anything, including international snailmail, these days. Four weeks for a packet of letters from London to Spain ? Envelope sellotaped up ? I just hope they haven't got around to me, yet.

[ExSp33db1rd]

Mrs. ExS has an account with one of the NZ banks, and occasionally invests in a Term Deposit. She gets confirmation on a plain e-mail giving all details, Name, address, e-mail,a/c No., D.o.B., address, amount invested, tax I.D. etc. etc. which is repeated just before termination and then includes the number of the account that will receive the principle and interest in a few days time. She has complained to the Management who say "Not to Worry" , and thank you for going "Paperless", but they don't change.

That bank don't participate in two-stage security either, one needs ones' personl Customer Number, password and a few simple security questions to get Online, but after that transfers can be made without reference to a phone TXT code, or personal "clicking" device.

Identity Theft anyone ?

( sadly, they seem to give the best interest rates, which is why she sticks with them - for now !)

[Slasher]

I refuse point blank to go paperless with any financial institution. The scam is they want YOU to do their dirty work for them - under the lie "let's help protect the environment!"

Utter ***** of course. They couldn't give a rats arse about the bloody "environment". It's to increase their profit margins - the same way as hotels don't want to wash not-yet-too-dirty towels, sheets etc. Fukkem.

[barkingmad]

Anyone here who may have had plastic surgery might be concerned at this report about hackers promulgating yer bits being modified for general entertainment.

But one might hope the pics are very localised for technical purposes for the medical professionals, but with all the boob and buttock work being commissioned as well as curtain trimmings being performed, let’s just hope anyone affected cannot be recognised or great will be the angst;

Hackers threaten to leak plastic surgery pictures https://www.bbc.co.uk/news/technology-55439190

Unwelcome news to receive on Xmas day...!

[Pontius Navigator]

Curtain trimmings, apart from the obvious at Dunelm, what has that got to do with data protection.