As hospitals shift to digital medical records, administrators promise patients better care and shorter waits. They often neglect to mention that they share files with state health agencies, which in turn sell the information to private data-mining companies. The records are stripped of names and addresses, and there’s no evidence that data miners are doing the legwork to identify individual patients. Yet the records often contain patients’ ages, Zip Codes, and treatment dates—enough metadata for an inquiring mind to match names to files or for aggressive companies to target ads or hike insurance premiums.
Latanya Sweeney, the director of Harvard University’s Data Privacy Lab, identified 35 patients from a Washington database by buying state medical data and creating a simple software program to cross-reference that information with news reports and other public records. “All I have to know is a little bit about a person and when they went to a hospital, and I can find their medical record in this kind of data,” Sweeney says. She says data in 25 other states are just as vulnerable.
From a brief local-news story on a motorcycle crash, she matched retired Vietnam veteran Ray Boylston to a patient file documenting a broken pelvis, ruptured spleen, kidney failure, and bladder removal. “I feel I’ve been violated,” says Boylston, 62. “I don’t really feel that the public has a right to read up on my medical history.” Most of the patients whose names Sweeney uncovered asked to remain anonymous, including an executive treated after being assaulted whose medical records say he’s addicted to painkillers. Another businessman, who appeared in a missing-person report, has been diagnosed with pancreatic cancer and attempted suicide by poison, according to his medical records.
Exempt from federal health-privacy laws, states have long sold medical data to help finance public health studies. Demand for the information, which is relatively cheap, has shifted from university research programs to commercial data miners, which incorporate it into reports and databases they sell to direct marketers, insurers, and makers of drugs and medical devices. Twelve of the most populous U.S. states generated $1.91 million from 1,698 data sales in 2011, the latest year for which figures are available, public records show. (The data-mining industry, which buys the information and resells it to medical companies, will top $10 billion in revenue by 2020, McKinsey estimates.) Washington State’s health agency sold its database 95 times that year, collecting a mere $15,950. Donn Moyer, a spokesman for the state’s health department, says it chose to release extra identifying information such as patients’ Zip Codes to make its data more useful.
Companies that buy the state data include IMS Health, a provider of prescription data; OptumInsight, a division of UnitedHealth (UNH), the biggest U.S. health insurer; and WebMD (WBMD). Danbury (Conn.)-based IMS purchased Boylston’s record, as did IVantage Health Analytics, a Portland (Me.)-based evaluator of hospital performance. IMS’s U.S. marketing director, Jody Fisher, says his company, which sells medical data to drug companies for sales pitches to doctors and consumers, maintains a database of 260 million prescription-drug patients but doesn’t try to identify any whose names have been redacted. John Morrow, executive vice president of IVantage, says his company scrubs information like Zip Codes. With that kind of identifier, he says, “You might as well have the patient’s electronic medical record number.”
Jim Pyles, a principal at law firm Powers Pyles Sutter & Verville who specializes in health law and policy, says digitized medical data has the potential to prevent physicians from missing a key element of a patient’s history or to help analysts identify larger health trends, such as hospital costs or the spread of diseases. The sale of that data, though, makes patients even more vulnerable than they already are in an era of increasingly sophisticated hacking, he says. “Electronic health information is like nuclear energy,” Pyles says. “If it’s harnessed and kept under tight control, it has potential for good. But if it gets out of control, the damage is incalculable.”
Health agencies for Washington, Tennessee, Nevada, and Arizona say they have begun reviews of their collection policies following a Bloomberg News story published on June 5 about state health data collection. (Washington now requires buyers to sign a confidentiality agreement, though a full review of the policies will take months, says Moyer.) California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska, and Alaska already had reviews under way, according to those states’ agencies. “The real takeaway,” says Harvard’s Sweeney, “is we can do better than this.”