Accidental Social Engineering

Categories: Rants and Rambling.

I just had a rather startling experience.

I’ll spare you the long backhistory about why I decided to recently gather copies of all my medical information together (short story: I’m unimpressed with every doctor I can find in the area, and find myself having to double-guess them a lot — I’ve even pointed out rather dangerous interactions between drugs prescribed to me by the same doctor at the same time).

The information that I was having a hard time finding was from the doctor I had when I first moved to Dallas. The problem was that I couldn’t remember his name or really any other information about him. I knew his office was on a particular street, but couldn’t narrow it down to less than about a 15-mile segment. Recently, when I found myself in a position to drive approximately that distance, I decided to take that particular street to see if I could pick out any familiar landmarks. It certainly wasn’t the best route to take, but it was better than driving the street without getting anywhere useful. I finally spotted something that looked familiar, and pulled into a parking lot. After poking around quite a bit, I found an office with a name that looked familiar.

I walked in and spoke to the receptionist. I mentioned that I was a patient there “around 1994 to 1997,” and asked if it was possible to get a copy of my medical records. She took my name and a phone number (I gave her my cell phone number) and promised to get back to me.

Several days later, I got a call back letting me know that I could come pick up a copy of my information. I did so, in person. Without ever presenting any identifying information. I was able to parlay a knowledge of (1) my name, and (2) the doctor I went to in a very rough period of time into three years of medical records.

Now, there’s nothing particularly sensitive in my personal medical records — but that’s neither here nor there. There are supposed to be stifling restrictions around what information is released to whom, to the point that I was a little worried that I might not be able to get them to release my own information to me.

And here’s the zinger: the documents handed over to me include my social security number, along with mailing addresses and phone numbers for my previous two residences. It includes my driver’s license number and date of birth. My current home address is a simple matter of public record.

I just stole my own identity. And even if someone could somehow trace the breach to that particular doctor’s office, all they could provide is a description of me (keeping in mind that the long hair could just be a wig) and a phone number (keeping in mind that it might trace back to a stolen cell phone or a prepaid VoIP account).

The lessons here should be obvious, but I can’t seem to figure out practical ways to apply them. Stop seeing doctors? Tempting, but not practical. Plus, this information was nine years old. Bottom line: you can’t trust anyone to safeguard your information, and you’ve almost certainly let the cat out of the bag one way or another. I guess the take-home here is: always assume that enough information to impersonate you has been carved into every public bathroom stall in America, and maintain a commensurate level of vigilance.


  1. ben

    Interesting. I wonder if all the current draconian medical privacy regulations are retroactive. That is, do they apply to data that was gathered before the laws went into effect?

  2. Paul

    Reminds me of my bank. Last year I closed my bank account at Community Credit Union. Nobody asked for ID. The only evidence I had was a bank statement (which I could have dug out of someone’s trash or printed myself). Upon closing the account, I collected the balance (a couple thousand dollars) in cash and walked out the door.

    If I were not already closing my account, I might have complained. If you have an account there, see if they ask for ID while you are closing it.