Your medical records are for sale

The Review has been among the few of the news media to raise questions from the start about the electronic files of medical records. The oversight on this has been atrocious.

Business Week - As hospitals shift to digital medical records, administrators promise patients better care and shorter waits. They often neglect to mention that they share files with state health agencies, which in turn sell the information to private data-mining companies. The records are stripped of names and addresses, and there’s no evidence that data miners are doing the legwork to identify individual patients. Yet the records often contain patients’ ages, Zip Codes, and treatment dates—enough metadata for an inquiring mind to match names to files or for aggressive companies to target ads or hike insurance premiums.

Latanya Sweeney, the director of Harvard University’s Data Privacy Lab, identified 35 patients from a Washington database by buying state medical data and creating a simple software program to cross-reference that information with news reports and other public records. “All I have to know is a little bit about a person and when they went to a hospital, and I can find their medical record in this kind of data,” Sweeney says. She says data in 25 other states are just as vulnerable.

From a brief local-news story on a motorcycle crash, she matched retired Vietnam veteran Ray Boylston to a patient file documenting a broken pelvis, ruptured spleen, kidney failure, and bladder removal. “I feel I’ve been violated,” says Boylston, 62. “I don’t really feel that the public has a right to read up on my medical history.” Most of the patients whose names Sweeney uncovered asked to remain anonymous, including an executive treated after being assaulted whose medical records say he’s addicted to painkillers. Another businessman, who appeared in a missing-person report, has been diagnosed with pancreatic cancer and attempted suicide by poison, according to his medical records.

Exempt from federal health-privacy laws, states have long sold medical data to help finance public health studies. Demand for the information, which is relatively cheap, has shifted from university research programs to commercial data miners, which incorporate it into reports and databases they sell to direct marketers, insurers, and makers of drugs and medical devices. Twelve of the most populous U.S. states generated $1.91 million from 1,698 data sales in 2011, the latest year for which figures are available, public records show. (The data-mining industry, which buys the information and resells it to medical companies, will top $10 billion in revenue by 2020, McKinsey estimates.) Washington State’s health agency sold its database 95 times that year, collecting a mere $15,950. Donn Moyer, a spokesman for the state’s health department, says it chose to release extra identifying information such as patients’ Zip Codes to make its data more useful.

The bottom line: Medical data sold cheaply by state health agencies often contain details that can be used to identify patients.