Happy Data Privacy Day. A new book provides an in-depth look at the commercial trade in patient medical data. Sensitive data, a vibrant market, and not much cause for celebration.
A while ago, I wrote about the wave of data breaches at healthcare organizations and medical identity theft that is impacting millions and what we can do to protect ourselves better.
One of the readers of that post was acclaimed journalist Adam Tanner, who has reported on data collection and consumer privacy since 2012.
Adam and I have had an ongoing discussion on data privacy and security matters since we met a few years ago. He was covering the issue for Forbes, and I had a chance to brief him on our secure browser solution.
A few weeks ago, he kindly directed my attention to an unknown - to me, at least - aspect of our personal medical records. I thought our medical data was sacrosanct. Protected by regulatory frameworks and doctor-patient confidentiality. It isn’t.
Adam Tanner's new book Our Bodies, Our Data - How Companies Make Billions Selling Our Medical Records (Beacon Press, Boston) examines the secretive and far-reaching wheelings and dealings of medical data exchange. A multi-billion dollar market dominated by hidden middlemen who monetize our most sensitive data - from prescriptions to lab results to treatments.
This is familiar terrain for Adam. His previous book, “What Stays in Vegas: The World of Personal Data - Lifeblood of Big Business - and the End of Privacy as We Know It,” tells the story of Las Vegas casinos pioneering the collection and correlation of gambler data.
Initially built to improve customer relations, these processes have become eerily common and unnervingly vast, suggesting perhaps we should fear corporate surveillance more than government surveillance. The Washington Post named the book one of 50 notable nonfiction works of 2014.
“Our Bodies, Our Data” follows a similar course, and couldn’t be more timely. The recent series of massive data breaches at healthcare institutions have raised more questions about what really happens to our data when we enter information on our health insurer’s online portal, see a doctor, or refill a prescription at the pharmacy.
To date, this market has operated in the shadows. Which makes “Our Bodies, Our Data” an even more impressive read. Based on in-depth research and hundreds of interviews with industry insiders and observers, Adam Tanner takes the reader into the dark corners of this multibillion-dollar global medical data bazaar.
In the U.S., HIPAA - the Health Insurance Portability and Accountability Act of 1996 - requires the protection of “individually identifiable health information.” This standard attempts to govern how firms handle our data, but it provides no controls for individuals to restrict the exchange of that data.
The author tells the story of a victim of childhood abuse who - incidentally - learned that her psychotherapist’s notes were shared across the health plan provider’s network. In the words of the victim: “You shouldn’t have to choose between privacy and the best possible care.”
Tanner describes a market that is driven by the marketing objectives of pharma, medical product and healthcare service providers, not the patient’s best interest. These entities are free to sell our data to the data miners, provided they “de-identify” the records. Whether through error or triangulation of data points, this anonymization is, at best, imperfect. It’s actually worse than imperfect.
His book explains how simple it is to re-identify anonymized patient medical data. Analysts with standard big data analytics tools can reassemble and attribute the data trivially.
One researcher quoted was placed under court order not to disclose the methods she used to re-identify patients. Something she was able to demonstrate with commonplace tools and techniques. Scary stuff.
“HIPAA has allowed a vast market for intimate information to evolve,” the author concludes, “in ways that may lessen patient trust in the health-care system and may create dangerous privacy vulnerabilities.”
The recent massive data breaches in the healthcare industry, Adam Tanner reminds us, also may make it easier for criminal industry outsiders to run their own re-identification campaigns, for the purpose of blackmail, damaging reputations, or filing fraudulent claims.
Patients should be alarmed how their medical information is handled, mishandled and traded by companies that, as the author writes, “have often done all they can to obscure their activities from the public, the very source of these data.”
And the anticipated upheaval if the Affordable Care Act is repealed doesn’t bode well for our privacy, either. After reading Adam Tanner’s book and seeing what’s at stake, I suspect the global industry that handles and trades our medical data will welcome the distraction.
“Our Bodies, Our Data” is a riveting account of medical data collectors and buyers gone haywire. It is a must-read for anyone concerned with data protection and privacy policies in the healthcare and consumer sector, as patients or in a professional capacity.
Adam Tanner: Our Bodies, Our Data. How Companies Make Billions Selling Our Medical Records. Beacon Press, Boston 2017. 218 pages, $ 28.95
About the reviewer: Scott Petry is Co-Founder and CEO of Authentic8. Before Authentic8, Scott was the founder of Postini.