healthcare shot in the arm blog

Why Health Data Privacy Needs a Shot in the Arm 

The US healthcare sector has a nasty digital disorder that extends beyond the countless cases of data theft to something more pernicious. How did we catch it, and how do we cure it?

The headlines are filled with examples of hacked healthcare companies losing client data. From Anthem’s loss of 79 million users’ records in 2015, through to last December’s theft of 3.3 million users’ data from Regal Medical Group, the breaches keep coming. The US Department of Health and Human Services’ latest report to Congress shows a 58.2% increase in data breach reports affecting more than 500 people between 2017 and 2021.

Three Types of Breach 

The first two leading causes of privacy breaches are well-understood. The Anthem breach falls under a targeted attack against a well-protected system. Investigators concluded that a foreign nation-state was involved and Anthem had taken reasonable measures to protect its data prior to the hack. The second cause is incompetent negligence, such as the exposure of millions of medical images online through insecure storage.

The third cause of privacy infractions is more interesting because it’s intentional. It’s done with the knowledge of the company responsible for the health data. To borrow from medical terminology, the first two types of breach are acute, discrete events with a known end. A privacy infraction baked into company policy is a chronic disease, festering for as long as the perpetrators allow it.

One of the most notable company-sanctioned privacy transgressions involved an online counselling service called BetterHelp. In March this year, the FTC forced this company to pay a $7.8m settlement to settle charges of sharing consumers’ sensitive healthcare data with third parties, including Facebook, Pinterest, and Snapchat. The FTC said that BetterHelp shared data, including information about consumers’ mental health challenges gathered via a questionnaire, along with their email addresses and IP addresses.

Passing this information to Facebook enabled the social media giant to mine data it held on its other users, finding those with similar traits to BetterHelp’s customers and targeting them with advertisements to generate new clients.

The FTC’s complaint also alleges that BetterHelp included the Health Insurance Portability and Accountability Act (HIPAA) seal on its sites and claimed certification without any government agency reviewing the company’s data practices.

Third-party tracking is rife among healthcare providers. A report in Health Affairs recently found that almost 99% of hospitals use tracking on their websites. These trackers sent data to social media, advertising companies, and data brokers. These hospitals “are facilitating the profiling of their patients by third parties,” said the report, leading to dignitary harms”.

Sign Here and Give Up Your Privacy Rights to Continue 

Privacy infractions aren’t always conducted without the user’s knowledge. Sometimes, as happens often in tech, companies persuade customers to sign away their privacy rights. A Washington Post investigation recently uncovered Amazon doing this as part of its Amazon Clinic consumer-focused healthcare venture. The service follows the platform model, providing a forum for consumers to interact with partner clinicians online and obtain medical prescriptions. However, like many platform operators, Amazon collects more than just a cut of the fee; it also gets to harvest customer data. In this case, the data up for grabs is highly sensitive, including details and photographs of medical conditions.

According to the WaPo investigation, Amazon requires customers to sign a form giving Amazon access to a patient’s medical file and permission for it to be “re-disclosed,” after which it “will no longer be protected by HIPAA.”

“What could go wrong?” asks WaPo author Geoffrey Fowler. “There are many icky ways Amazon could use your health information: to upsell you on other services, to target marketing for its giant advertising business, or to build out artificial intelligence or patient-risk models.”

Amazon – or indeed the companies to which it passes the data – could also legally sell your data on to others you’ve never heard of. It could potentially fall into state hands, raising the spectre of, say, state governments using a person’s actual or suspected pregnancy status to enforce anti-abortion laws.

We’ve already seen states using data to prosecute illegal abortion cases. Last summer, law enforcement officials used Facebook chat messages between a mother and daughter to prosecute a case of illegally-managed abortion. This case was bought before SCOTUS overturned Roe V Wade and involved a violation of existing state law based on the term of the pregnancy.

Time For An Update To The Law 

Amazon told WaPo that it doesn’t use customer data for purposes that customers haven’t consented to, but that’s the point. Customers often sign away consent without reading contracts as well as they should. That’s in part because the contracts are lengthy and complex. In Amazon’s case, consent is mandatory. You either sign, or you don’t get the service. This wouldn’t be allowed under the EU’s General Data Protection Regulation (GRPR), which explicitly forbids that practice.

As it stands, HIPAA is the only federal law explicitly protecting health data, but it has shortcomings. It applies only to covered entities – healthcare providers and health businesses – and not to others who might collect and use health data.

When HIPAA passed in 1996, Windows 95 and Amazon.com were shiny and new. While technology has moved on, the law hasn’t. HIPAA is no longer as effective as we need it to be in a world where sensitive data and metadata are routinely digitized and delivered to the highest bidder. The US should update federal privacy legislation to strengthen or provide an alternative to HIPAA and the patchwork of laws supporting broader consumer privacy. Strong, cohesive federal privacy legislation would be just what the doctor ordered, along with a well-funded regulator to enforce it.

Explore ISMS.online's platform with a self-guided tour - Start Now