Part 3: Discovery Health ducking and diving over HealthID

In spite of all the press releases and marketing sales pitch, it turns out that Discovery Health wasn't entirely truthful to me: On Tuesday the COO of Discovery Health promised in writing

"I confirm that we will block all and any access to all health records associated with your policy."

During the meeting I was assured that they already had the ability to do so, and I gave one of the executives my Discovery membership number. Today I checked whether my EHR (Electronic Health Record) was still available online, and it is. Bear in mind that I have never given permission for Discovery Health to publish this information, and they have never asked. So I wrote to the CEO:

Dear Jonathan
The meeting with Dr Noach and others on Tuesday has left me with more questions than answers, and I get the distinct impression that I am being stonewalled.
In the meeting I was assured that my Health Record would be removed from your web site. I provided my DH membership number to Ryan in a follow-up email. I attach the health record that I printed out this morning. It looks exactly the same as the one I complained about at the meeting. As you can see, it contains sensitive and embarrassing information that (a) I have never given Discovery Health permission to publish; and (b) your COO assured me would be removed.

It would appear that "Jonny" is out of the office for a few days, so the reply came from Ryan, the COO:

Donn
Your email to jonny [sic] seems to give the impression that we have not been in constant and regular contact over the past few days. It is important to point out that as per the multiple and ongoing interactions, we remain open to your suggestions and transparent about our attempts to continually improve the security on both our web and HealthID platforms.
We are conforming with international best practice, seeking external audit verification thereof and on a continuous improvement pathway with a view to ongoing enhancements of the security platform, possibly including some of your suggestions.
Insofar as your health record is confirmed, we will honour our undertaking to remove this from the web. Please allow us the time to do so.
Sincerely
Ryan

My reply was:

Ryan
I was under the impression it would be done on Tuesday. You confirmed it would be done. How much time do you need? A week? A month? A year? Please clarify. I get the distinct impression, Dr Noach, that you are being evasive. Please be straight with me: do you currently have the facility to remove my data, or is someone going to have to develop it?
I did not give Discovery Health permission to publish my medical record. Please remember that. My patience is limited.
Donn

The reply:

The health record will be blocked by Monday

So apart from the nauseating corporate double-speak, they have said very little. They "remain open to my suggestions" even though Dr Noach personally dismissed or ignored most of them, and said they would take them "under advisement" since they were only "opinions" and "suggestions". He says they are already "conforming to international best practices" when this is demonstrably not the case: international best practice for password strength does not allow for loopholes like "passw0rd".
Was my meeting with them not an indication of their willingness to listen? Sure, if you discount the fact that I got nothing out of phoning their call centre. After being stonewalled there (I was told to email healthinfo@discovery.co.za; and that it was "impossible" to speak to anyone on the HealthID team) I eventually spoke to a manager who promised to send me answers to my questions; he certainly couldn't answer them.
That's when I contacted the Media Relations department and emailed them a link to the article "Discovery HeathID: kiss your confidentiality and privacy goodbye". They passed this link on to the CEO, Dr Jonathan Broomberg. He promised to call me. Yeah, right. He assured me

If you choose not to give the consent, your data remains entirely private. Does this address your concern?

It didn't. Several emails later, he wrote:

I am not sure that resolving this by email is that constructive. I can only assure you that our intentions in developing HealthID are only positive - we passionately believe that this will improve the quality of care provided by doctors to our members. We are cognisant of the security issues, and continually take advice and review security in order to minimise the risks that you outline in your emails. I would be happy to arrange for you to meet with our team working on this, if you believe that would be worthwhile. We are absolutely open to any feasible suggestions on how to improve the security of this information.

So far, so good. The meeting destroyed most of that. Some of them listened, and I have been assured by the CIO that

"... we are taking our systems security very seriously and we will certainly consider your points in our roadmap."

What does that mean, exactly? I have no idea.

I decided on another tack, and wrote to Ryan:

Can you give me the contact details of the people who did the security audit of the Discovery web site?

How's this for a weird reply?

The audit report is for internal consumption and is presented to the relevant board audit and other sub committees.

All I wanted to ask them was about the "passw0rd" loophole. Stonewalled. They need to get a clue.

The call centre stonewalled me on another issue: what does the consent form say? I was told they "don't have a copy of the consent form, and it changes from doctor to doctor, and the doctor would explain it to me." That's odd: healthinfo@discovery.co.za were happy to send me the PDF, along with another file that "explains" more. An ironic part of this file reads:

When you sign this consent, you acknowledge that you understand that the Electronic Health Record contains details about any chronic condition(s) you may have, as well as pathology results, which includes blood tests.

Notice how they leave out the bit about your HIV status.

Your signature also confirms that you understand how we safeguard this confidential information and how we comply with laws about dealing with confidential information of this kind.

And how do they do this? They make you sign a waiver:

I agree that by making this information available, Discovery Health (Pty) Ltd and the Scheme are not responsible for any loss (whether direct or indirect) that may arise from the use of this information. I agree that I may not hold Discovery Health (Pty) Ltd or the Scheme responsible for any loss that may result from the incorrect use or disclosure of the information by my healthcare provider.

In "media relations" circles this is known as "spin". A more accurate english word is "lies".

Emergency HealthID

"Emergency personnel are able to scan a unique QR code on your car sticker and digitally access your membership and medical information when you’re not able to give it to them."What this actually means is that anyone can read this information from your car sticker in any parking lot. So is the QR code a reference number, or does it contain actual data? I asked:

In the case if the Emergency QR code, who can gain access by using the QR code? Any paramedic? Hospital doctor? Anaesthetist?

The reply was:

The use of QR codes will probably grow over time, but initially the emergency QR is intended for the paramedics to have access to vital (life saving) information, which is often critical during the “golden hour” that has a major influence on the final outcome.

HUH? So I asked:

WHO gets access to the QR Code? Is the QR code some kind of reference number, or does it contain the “Golden Hour” information itself, like a MedicAlert bracelet?

Hopefully the former, and not the latter. Watch this space.

I posed another question:

Doctor A has his own practice for 3 years and signs up 200 patients on HealthID.
Then he gets together with Doctors B and C to form a new practice ABC.
a) Does he have to get consent from those 200 patients again?
b) Are the consenting patients notified that this PR number has changed?
Do Doctors B and C automatically have access to the files of those 200 patients?
If Doctor C leaves the practice does he still have access to any of his patients, or do they all need to consent again?

The reply:

You have outlined a number of scenarios. I think that the following points will address them:

1. Every individual doctor has to request member consent to gain access to each of our member’s/their patient’s records.
2. The consent is “doctor-specific”, not “practice-generic”. No doctor gets automatic consent because of his/her practice affiliation.
3. Doctors have access to the member records until the member revokes the consent, or the doctor no longer uses the HealthID service.
4. If the member revokes the consent and then visits the doctor again, the doctor will have to ask the member for his consent again.

Please let me know if I missed anything.

So if doctor C leaves the practice, he takes all his HealthID patients with him, whether doctors A and B like it or not. They are powerless to stop him, since although his Practice (PR) number may change, his medical registration (MP) number remains the same, and that is tied to the doctor's Discovery login.

What happens if the MP number is changed? How do you know if an MP number is still valid?

The reply:

As you will appreciate doctors details are very important to us and we continuously verify the information.

I'm sure they do. After all, not all doctors are ethical.

Part 1 | Part 2 | Part 3

Update: On a separate note, DiscoveryCard finally apologised for leaking my private contact details for marketing purposes to AutoPage. Nearly six years late ;-)

Update: Discovery has lied to the public and bullied the industry, according to this GP.