Some hospitals are now asking their patients to scan their palms, ostensibly to compile a biometric data base to prevent identity theft.
Don’t do it! Nor is the palm scan mandatory; it’s purely optional. But they won’t volunteer that information unless you ask.
Natasha Singer reports for the New York Times, Nov. 10, 2012, that she was told they needed to scan her palm “for her file” when she recently visited a doctor’s office at New York University Langone Medical Center.
Singer balked. As she explains: “As a reporter who has been covering the growing business of data collection, I know the potential drawbacks — like customer profiling — of giving out my personal details. But the idea of submitting to an infrared scan at a medical center that would take a copy of the unique vein patterns in my palm seemed fraught.”
Despite her reservations, Singer still complied. Next, they wanted to take her photo. Only then did an office manager appeared and explained that the scans and pictures were optional. But by then, Singer’s palm print was already in their system.
Consumer advocates are sounding the warning that more and more institutions are employing biometric data “to improve convenience,” but we are paying for that convenience with the loss of our privacy.
Fingerprints, facial dimensions and vein patterns are unique, and should be treated as carefully as genetic samples. So collecting such information for expediency could actually increase the risks of serious identity theft. Yet companies and institutions that compile such data often fail to adequately explain the risks to consumers.
Pam Dixon, the executive director of the San Diego-based advocacy group World Privacy Forum explains: “Let’s say someone makes a fake ID and goes in and has their photo and their palm print taken as you. What are you going to do when you go in? Hospitals that are doing this are leaping over profound security issues that they are actually introducing into their systems.”
N.Y.U.’s system, called PatientSecure and marketed by HT Systems of Tampa, has already scanned more than 250,000 patients. In the United States, over five million patients have had the scans, said Charles Yanak, a spokesman for Fujitsu Frontech North America, a division of Fujitsu, the Japanese company that developed the vein palm identification technology.
Yet, unless patients at N.Y.U. seem uncomfortable with the process, medical registration staff members don’t inform them that they can opt out of photos and scans. Neither does N.Y.U. have formal consent, which raises red flags for privacy advocates. “If they are not informing patients it is optional,” said Joel Reidenberg, a professor at Fordham University Law School with an expertise in data privacy, “then effectively it is coerced consent.”
He noted that N.Y.U. medical center has had recent incidents in which computers or USB drives containing unencrypted patient data have been lost or stolen, suggesting that the center’s collection of biometric data might increase patients’ risk of identity theft.
At her request, N.Y.U. medical center did delete Singer’s palm print.
Here’s what to do if a hospital, doctor’s office, or some other institution wants to scan your palm, take your photo, or obtain some other biometric information from you:
- Calmly ask if what they’re asking is mandatory (required) or optional.
- If it’s optional, say “No.”
- If mandatory, ask to see a written statement of that policy and where in law does it say the institution has the right to your information.