State of Cybercrime

Medical Privacy Expert Adam Tanner (Part I)

Episode Summary

Adam Tanner is the author of "Our Bodies, Our Data", which tells the story of a hidden dark market in drug prescription and other medical data. In this first part of our interview, we learn from Adam how this business in selling medical information got started and why it's legal under HIPAA.

Episode Notes

Adam Tanner is the author of "Our Bodies, Our Data", which tells the story of a hidden dark market in drug prescription and other medical data. Adam explains how the sale of "anonymized" data is a multi-billion dollar business not covered by HIPPA rules. In this first part of our interview, we learn from Adam how the medical data brokers got started and why it's legal.

Transcript

Inside Out Security: Today, I'd like to welcome Adam Tanner. Adam is a writer-in-residence at Harvard University's Institute for Quantitative Social Science. He's written extensively on data privacy. He's the author of What Stays In Vegas: The World of Personal Data and the End of Privacy As We Know It. His articles on data privacy have appeared in Scientific American, Forbes, Fortune, and Slate. And he has a new book out, titled "Our Bodies, Our Data," which focuses on the hidden market in medical data. Welcome, Adam.

Adam Tanner: Well, I'm glad to be with you.

IOS: We've also been writing about medical data privacy for our Inside Out Security blog. And we're familiar with how, for example, hospital discharge records can be legally sold to the private sector.

But in your new book, and this is a bit of a shock to me, you describe how pharmacies and others sell prescription drug records to data brokers. Can you tell us more about the story you've uncovered?

AT: Basically, throughout your journey as a patient into the healthcare system, information about you is sold. It has nothing to do with your direct treatment. It has to do with commercial businesses wanting to gain insight about you and your doctor, largely, for sales and marketing.

So, take the first step. You go to your doctor's office. The door is shut. You tell your doctor your intimate medical problems. The information that is entered into the doctor's electronic health system may be sold, commercially, as may the prescription that you pick up at the pharmacy or the blood tests that you take or the urine tests at the testing lab. The insurance company that pays for all of this or subsidizes part of this, may also sell the information.

That information about you is anonymized.  That means that your information contains your medical condition, your date of birth, your doctor's name, your gender, all or part of your postal zip code, but it doesn't have your name on it.

All of that trade is allowed, under U.S. rules.

IOS: You mean under HIPAA?

AT: That's right. Now this may be surprising to many people who would ask this question, "How can this be legal under current rules?" Well, HIPAA says that if you take out the name and anonymize according to certain standards, it's no longer your data. You will no longer have any say over what happens to it. You don't have to consent to the trade of it. Outsiders can do whatever they want with that.

I think a lot of people would be surprised to learn that. Very few patients know about it. Even doctors and pharmacists and others who are in the system don't know that there's this multi-billion-dollar trade.

IOS:Right … we've written about the de-identification process, which it seems like it's the right thing to do, in a way, because you're removing all the identifiers, and that includes zip code information, other geo information. It seems that for research purposes that would be okay. Do you agree with that, or not?

AT: So, these commercial companies, and some of the names may be well-known to us, companies such as IBM Watson Health, GE, LexisNexis, and the largest of them all may not be well-known to the general public, which is Quintiles and IMS. These companies have dossiers on hundreds of millions of patients worldwide. That means that they have medical information about you that extends over time, different procedures you've had done, different visits, different tests and so on, put together in a file that goes back for years.

Now, when you have that much information, even if it only has your date of birth, your doctor's name, your zip code, but not your name, not your Social Security number, not things like that, it's increasingly possible to identify people from that. Let me give you an example.

I'm talking to you now from Fairbanks, Alaska, where I'm teaching for a year at the university here. I lived, before that, in Boston, Massachusetts, and before that, in Belgrade, Serbia. I may be the only man of my age who meets that specific profile!

So, if you knew those three pieces of information about me and had medical information from those years, I might be identifiable, even in a haystack of millions of different other people.

IOS: Yeah …We have written about that as well in the blog. We call these quasi-identifiers. They're not the traditional kind of identifiers, but they're other bits of information, as you pointed out, that can be used to sort of re-identify. Usually it's a small subset, but not always. And that this information would seem also should be protected as well in some way. So, do you think that the laws are keeping up with this?

AT: HIPAA was written 20 years ago, and the HIPAA rules say that you can freely trade our patient information if it is anonymized to a certain standard. Now, the technology has gone forward, dramatically, since then.

So, the ability to store things very cheaply and the ability to scroll through them is much more sophisticated today than it was when those rules came into effect. For that reason, I think it's a worthwhile time to have a discussion now. Is this the best system? Is this what we want to do?

Interestingly, the system of the free trade in our patient information has evolved because commercial companies have decided this is what they'd want to do. There has not been an open public discussion of what is best for society, what is best for patients, what is best for science, and so on. This is just a system that evolved.

I'm saying, in writing this book, "Our Bodies, Our Data," that it is maybe worthwhile that we re-examine where we're at right now and say, "Do we want to have better privacy protection? Do we want to have a different system of contributing to science than we do now?"

IOS: I guess what also surprised me was that you say that pharmacies, for example, can sell the drug records, as long as it's anonymized. You would think that the drug companies would be against that. It's sort of leaking out their information to their competitors, in some way. In other words, information goes to the data brokers and then gets resold to the drug companies.

AT: Well, but you have to understand that everybody in what I call this big-data health bazaar is making money off of it. So, a large pharmacy chain, such as CVS or Walgreen's, they may make tens of millions of dollars in selling copies of these prescriptions to data miners.

Drug companies are particularly interested in buying this information because this information is doctor-identified. It says that Dr. Jones in Pittsburgh prescribes drug A almost all the time, rather than drug B. So, the company that makes drug B may send a sales rep to the doctor and say, "Doctor, here's some free samples. Let's go out to lunch. Let me tell you about how great drug B is."

So, this is because there exists these doctor profiles on individual doctors across the country, that are used for sales and marketing, for very sophisticated kind of targeting.

IOS: So, in an indirect way, the drug companies can learn about the other drug companies' sales patterns, and then say, "Oh, let me go in there and see if I can take that business away." Is that sort of the way it's working?

AT: In essence, yes. The origins of this trade date back to the 1950s. In its first form, these data companies, such as IMS Health, what they did was just telling companies what drugs sold in what market. Company A has 87% of the market. Their rival has 13% of the market. When medical information began to become digitized in the 1960s and '70s and evermore since then, there was a new opportunity to trade this data.

So, all of a sudden, insurance companies and middle-men connecting up these companies, and electronic health records providers and others, had a product that they could sell easily, without a lot of work, and data miners were eager to buy this and produce new products for mostly the pharmaceutical companies, but there are other buyers as well.

IOS:  I wanted to get back to another point you mentioned, in that even with anonymized data records of medical records, with all the other information that's out there, you can re-identify or at least limit, perhaps, the pool of people who that data would apply to.

What's even more frightening now is that hackers have been stealing health records like crazy over the last couple of years. So, there's a whole dark market of hacked medical data that, I guess, if they got into this IMS database, they would have the keys to the kingdom, in a way.

Am I being too paranoid here?

AT: Well, no, you correctly point out that there has been a sharp upswing in hacking into medical records. That can happen into a small, individual practice, or it could happen into a large insurance company.

And in fact, the largest hacking attack of medical records in the last couple of years has been into Anthem Health, which is the Blue Cross Blue Shield company. Almost 80 million records were hacked in that.

So even people that did... I was hacked in that, even though I was not, at the time, a customer of them or had never been a customer of them, but they... One company that I dealt with outsourced to someone else, who outsourced to them. So, all of a sudden, this information can be in circulation.

There’s a government website people can look at, and you'll see, every day or two, there are new hackings. Sometimes it involves a few thousand names and an obscure local clinic. Sometimes it'll be a major company, such as a lab test company, and millions of names could be impacted.

So, this is something definitely to be concerned about. Yes, you could take these hacked records and match them with anonymized records to try to figure out who people are, but I should point out that there is no recorded instance of hackers getting into these anonymized dossiers by the big data miners.

IOS: Right. We hope so!

AT: I say recorded or acknowledged instance.

IOS: Right. Right. But there's now been sort of an awareness of cyber gangs and cyber terrorism and then the use of, let's say, records for blackmail purposes.

I don't want to get too paranoid here, but it seems like there's just a potential for just a lot of bad possibilities. Almost frightening possibilities with all this potential data out there.

AT: Well, we have heard recently about rumors of an alleged dossier involving Donald Trump and Russia.

IOS: Exactly.

AT: And information that... If you think about what kind of information could be most damaging or harmful to someone, it could be financial information. It could be sexual information, or it could be health information.

IOS: Yeah, or someone using... or has a prescription to a certain drug of some sort. I'm not suggesting anything, but that... All that information together could have sort of lots of implications, just, you know, political implications, let's say.

AT: I mean if you know that someone takes a drug that's commonly used for a mental health problem, that could be information used against someone. It could be used to deny them life insurance. It could be used to deny them a promotion or a job offer. It could be used by rivals in different ways to humiliate people. So, this medical information is quite powerful.

One person who has experienced this and spoken publicly about it is the actor, Charlie Sheen. He tested positive for HIV. Others somehow learned of it and blackmailed him. He said he paid millions of dollars to keep that information from going public, before he decided finally that he would stop paying it, and he'd have to tell the world about his medical condition.

IOS: Actually I was not aware of the payments he was making. That's just astonishing. So, is there any hope here? Do you see some remedies, through maybe regulations or enforcement of existing laws? Or perhaps we need new laws?

AT: As I mentioned, the current rules, HIPAA, allows for the free trade of your data if it's anonymized. Now, I think, given the growth of sophistication in computing, that we should change what the rule is and to define our medical data as any medical information about us, whether or not it's anonymized.

So, if a doctor is writing in the electronic health record, you should have a say as to whether or not that information is going to be used elsewhere.

A little side point I should mention. There are a lot of good scientists and researchers who want data to see if they can gain insights into disease and new medications. I think people should have the choice whether or not they want to contribute to those efforts.

So, you know, there's a lot of good efforts. There's a government effort under way now to gather a million DNA samples from people to make available to science. So, if people want to participate in that, and they think that's good work, they should definitely be encouraged to do so, but I think they should have the say and decide for themselves.

And so far, we don't really have that system. So, by redefining what patient data is, to say, "Medical information about a patient, whether or not it's anonymized," I think that would give us the power to do that.

IOS: So effectively, you're saying the patient owns the data, is the owner, and then would have to give consent for the data to be used. Is that, about right?

AT: I think so. But on the other hand, as I mentioned, I've written this book to encourage this discussion. The problem we have right now is that the trade is so opaque.

Companies are extremely reluctant to talk about this commercial trade. So, they do occasionally say that, "Oh, this is great for science and for medicine, and all of these great things will happen." Well, if that is so fantastic, let's have this discussion where everyone will say, "All right. Here's how we use the data. Here's how we share it. Here's how we sell it."

Then let people in on it and decide whether they really want that system or not. But it's hard to have that intelligent policy discussion, what's best for the whole country, if industry has decided for itself how to proceed without involving others.

IOS: Well, I'm so glad you've written this book. This will, I'm hoping, will promote the discussion that you're talking about. Well, this has been great. I want to thank you for the interview. So, by the way, where can our listeners reach out to you on social media? Do you have a handle on Twitter? Or Facebook?

AT: Well, I'm @datacurtain  and I have a webpage, which is http://adamtanner.news/

IOS: Wonderful. Thank you very much, Adam.