The Privacy Prescription: Why Health Data Privacy Is in Critical Condition and How to Fix It

By Jacqueline Kimmell

Your health data is being captured, sold, and analyzed everyday- and our health data privacy laws are not keeping pace. In fact, the average American will generate 2,750 times more health data not protected by our current privacy laws than data protected by them.

The Privacy Prescription: Why Health Data Privacy Is in Crit

• Language: English
• Publisher: New Degree Press
• Release date: Sep 1, 2021
• ISBN: 9781637304761

Book preview

The Privacy Prescription

Why Health Data Privacy Is In Critical Condition and How to Fix It

Jacqueline Kimmell

new degree press

copyright © 2021 Jacqueline Kimmell

All rights reserved.

The Privacy Prescription

Why Health Data Privacy Is In Critical Condition and How to Fix It

ISBN

978-1-63676-739-0 Paperback

978-1-63730-475-4 Kindle Ebook

978-1-63730-476-1 Digital Ebook

CONTENTS

---

INTRODUCTION

An Urgent Infection in the Czech Republic

PART 1

Getting Acquainted with Health Privacy Laws

CHAPTER I

HIP... HIP... Hooray? A History of HIPAA

CHAPTER II

The Seven Big Ways HIPAA Falls Short

CHAPTER III

Five Reasons HIPAA Is Better Than You’d Expect

PART 2

Why Health Data is More Vulnerable than Ever

CHAPTER IV

What Isn’t Protected

CHAPTER V

Facing Down Facebook

CHAPTER VI

The New Gold Rush

CHAPTER VII

All Our Data Is Health Data

CHAPTER VIII

When Smartphones Aren’t So Smart on Privacy

CHAPTER IX

Not So Epic

CHAPTER X

23 and You? Genetic Data and Privacy

CHAPTER XI

A Living Museum of Misunderstanding

PART 3

The Unintended Consequences of Privacy Laws

CHAPTER XII

The Potential for Big Data

CHAPTER XIII

The Seven Stages of Hell

CHAPTER XIV

The Prism

CHAPTER XV

The Holy Grail of Interoperability

PART 4

Writing the Prescription: How to Chart a Path Forward

CHAPTER XVI

Guiding the Way with the CCPA: Legal Options for Data Privacy

CHAPTER XVII

Taking a Bite Out of the Privacy Problem: The Path Forward

CHAPTER XVIII

How to Protect Your Data (If You’d Like): A Practical Guide

Acknowledgments

Appendix

Introduction

An Urgent Infection in the Czech Republic

---

March 13, 2020

It was 5 a.m. when hospital patients in Brno, Czech Republic first heard the sirens.

They began to announce an urgent infection—but not the type you might expect one day after the country declared the COVID-19 pandemic a national emergency. Patients darted around looking confused or terrified. Then, in loud Czech, a voice on the loudspeaker demanded that all hospital personnel immediately shut down their computers due to a cybernetic emergency.

A cyberattack had infected the hospital’s IT system—and things sounded bad (Cimpanu, 2020).

Peter Gramantik, a patient in the hospital (and, ironically, a security researcher), didn’t know what to do. He was waiting for a scheduled surgery and wasn’t sure what would happen with his care. So, he stayed put, mentally drowning out the dire warnings as they repeated every thirty minutes.

Five announcements later, at 8 a.m., another voice came on to announce all surgeries had been canceled. Gramantik had no choice but to go home. Hospital staff frantically began transferring their sickest patients to other hospitals nearby. Other staff spent hours trying to repair their IT system. The next day, two other Czech hospitals were almost victims of similar attacks (Newman, 2020).

March 14, 2020

Just a day later across the Channel in London, workers at Hammersmith Medicines Research were preparing to help test a vaccine for COVID-19. Their company, which helps run clinical trials, was seeing cases spike in the UK and thought it could play a crucial role in addressing the pandemic.

Then, every computer in the company went black. They’d been hacked.

Criminals had locked down thousands of the company’s patient records; they threatened to publish them all unless the company paid a massive ransom. But Managing Director Malcolm Boyce refused to give in. We have no intention of paying. I would rather go out of business than pay a ransom to these people, he told Computer Weekly.

A few days later, the hackers followed through on their threat. They published the records of 2,300 past patients involved in Ebola and Alzheimer’s trials, including detailed medical information, photos of their active passports and national insurance numbers (Goodwin, 2020; Gallagher, 2020). While they eventually took the records down, thousands of patients became worried about their data having been exposed.

Five thousand miles away on the same day in Silicon Valley, biotechnology company 10x Genomics Inc. was celebrating having joined forces with dozens of other organizations worldwide in seeking to generate antibodies for COVID-19. It was an exciting development for one of the fastest-growing companies in the Bay Area. But that excitement was quickly dampened when they too fell victim to a ransomware attack.

A criminal group, using the popular ransomware tool REvil, stole more than a terabyte of information off their servers. A few days later, the criminals posted a document online containing private information about the company’s internal computer systems and exposed personal details about its more than 1,200 employees.

Employees panicked. IT experts rushed to take the details down, but they had been compromised pretty badly, according to a company that tracks such breaches. 10x Genomics began the hard process of trying to rehabilitate their image as a secure, trustworthy company. It is particularly disappointing, a company spokesperson said (with just a bit of understatement), that we would be attacked at a time when our products are being used by researchers around the world to understand and fight COVID-19 (Gallagher, 2020).

As the word of these increasing attacks started to spread, leaders from many countries begged criminals to stop. We’re in the midst of the most urgent health crisis in modern history, and these attacks threaten all of humanity, said Peter Maurer, president of the International Committee of the Red Cross, in a letter the organization jointly signed with former world leaders, seven Nobel laureates and countless cyber experts. We’re talking about a serious threat to life as part of cybercriminal activity, warned Fernando Ruiz Pérez, acting head of Europol’s Cybercrime Center (Palmer, 2020).

A few cybercriminals listened. Several of the largest hacking groups promised not to go after healthcare organizations until after the pandemic was over and to offer decryption codes to any care providers they attacked accidentally (Winder, 2020).

But other gangs took the opportunity to become even more brazen. In September, Russian cybercriminals using a new software called Ryuk hobbled all 250 hospital and healthcare facilities of the chain Universal Health Services. In these hospitals, doctors had to record patient information by hand, deliver lab orders written on sheets of paper, and simply guess who might be infected with COVID-19. As of right now we have no access to any patient files, history, nothing, an anonymous worker for the chain in Texas said during the attack. Doctors aren’t able to access any type of x-rays [or] CT scans to assess patients’ conditions. Emergency room wait times increased from forty-five minutes to six hours (Bajak and Alonso-Zaldivar, 2020).

A few days later, the first fatality known to be connected to a ransomware attack occurred in Germany. A woman with a life-threatening condition had to be transferred to another city thirty-two miles away for treatment after a cyberattack on her local hospital. The woman had to wait another hour for treatment and died. Police are pursuing charges of negligent manslaughter against the local hospital (AP, 2020).

In October 2020, the FBI put out an alert that things would likely get even worse. It alerted all hospitals that it had credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers from the Ryuk software (Bajak, 2020). The Ryuk criminals, who had named themselves the Business Club, had become one of the most brazen, heartless, and disruptive threat actors I’ve observed over my career, said Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant (Bajak, 2020).

By the end of 2020, the Business Club became the most prolific ransomware gang in the world, raking in more than one hundred million dollars during 235 attacks (Poulsen & Evans, 2021). But they were just one of the gangs that went into 2021 poised to become an even greater threat. Experts say ransomware gangs entered the year even more sophisticated and professionalized. They’re now using consultants to figure out new ways to break into hospitals, building 24/7 online chat functions to communicate with victims and scheduling attacks months ahead of time to yield the maximum possible damage (Barrett, 2020).

Gangs have also become bolder in their demands. In 2018, the average requested fee to reverse an attack was about $5,000. That was never a negligible amount, but it grew to more than $200,000 in 2020 (Newman, 2020b).

Clearly, healthcare organizations are never safe from cyberattacks—even during an unprecedented global pandemic. Providers have been distracted, employees have been working from home, and systems are increasingly virtual—an almost irresistible combination for hackers who can get far greater ransoms by targeting healthcare companies than those in other industries as the data healthcare firms hold is so private.

Unfortunately, the end of the pandemic likely won’t change anything. As Charles Carmakal explains, Everything that’s played out this year leads me to believe it’s going to just keep getting worse until something really dramatic happens... I see no reason why ransomware would slow down in 2021 (Newman, 2020).

Legally Conned: Moving Beyond Hacks to Legally Sanctioned Data Collection

Theft of medical records is a problem few fully know the scope of—but may need to know more about soon. Hackers breached the personal healthcare records of more than forty-one million Americans in 2019—nearly triple the number of just the year before (Landi, 2020). Put another way, at least one medical data hack has occurred per day in the US since 2016. And given that many breaches aren’t publicly reported, that’s likely an underestimate.

Scary, right? But it gets worse. Even if you weren’t one of the forty-one million victims of a cyberattack last year, I’d bet your healthcare data isn’t as secure or private as you think it is.

Sure, cyberattacks are dramatic, affect millions, and often get a large share of the spotlight. But in 2021, medical data is being compromised in many alarming legal ways too. While hacks and the activities of cybercriminals are an easy threat to attach to, I’d argue that the legal sharing of data is usually more concerning.

Here’s the secret: The moment you leave your doctor’s office, your providers are very likely selling your data. You may have not even left the parking lot before that data is in the servers of dozens of for-profit companies. Providers don’t even need your consent. (In theory, the data is anonymous because it’s been stripped of your name…but as we’ll see, it’s often trivial for third parties to connect your medical records back to you and the rest of your data.)

Your health data feeds into a multibillion-dollar market where data miners buy, sell, and barter the intimate anonymized profiles of hundreds of millions of Americans. This is a remarkably complex web (Figure 1) where the biggest players make billions of dollars every year. One of the largest players, IQVIA, made more than eleven billion dollars in 2019 based on its comprehensive dossiers on the health information of more than half a billion people worldwide (IMS, 2019). That means it made more than the GDP of fifty countries in the world today. In other words, IQVIA data covers the equivalent of the entire world population in the year 1800. Other companies, including Optum, IBM Watson, GE, and Lexis Nexis, each have data on millions—usually hundreds of millions—of patients as well.

The Network of Patient Data Sharing

Image based on a static map in Adam Tanner’s 2017 report, Strengthening Protection of Patient Medical Data.

Your doctor may not even know your data is being sold. For instance, for many years, doctors didn’t realize that data on their prescribing habits were sold by pharmaceutical companies to data miners. As more became aware, they complained to medical boards, which, in turn, started lobbying for laws aiming to ban this trade. In response, the data miners sued the medical boards. The case went all the way to the Supreme Court, which held that such bans violated the First Amendment right to free speech (Sorrell v. IMS Health, 2010). That is, it was illegal to prevent data miners from mining the data because it silenced their constitutional rights.

Now, as healthcare grows increasingly digital, more companies are making even bigger profits.

The former head of IMS Canada and Latin America, a former parent company of IQVIA, said the company pitches doctors, pharmacies, insurers, and others with a simple proposition: Look, you are creating data as a byproduct. It’s an exhaust from your system. Why don’t you take that thing and turn it into an asset and sell it? He added, That is the way we would get people to think about data as an asset—with full confidence that we were not violating anyone’s privacy or the law (Tanner, 2017).

While the claim that they weren’t violating anyone’s privacy is debatable, it’s clear they weren’t breaking the law. That’s the crazy part of data mining; it doesn’t violate our most important health privacy law in the US, the Health Insurance Portability and Accountability Act (HIPAA).

Mining is legal because the data sold is technically de-identified or stripped of any personal identifiers (eighteen of them, according to the standards of HIPAA). As such, it is permissible to sell and buy. But the purchasers of data can use sophisticated technology to tie that data back to you and essentially re-identify it. And that’s fine, legally speaking, because these data buyers aren’t subject to the mandates of HIPAA (which affect only the initial sale of data from healthcare providers, such as hospitals, doctors, and insurers).

Even if you’re not a massive data mining company, reidentification of data is not that hard to do. Techniques such as machine learning make it remarkably easy to re-identify data (Na et al., 2018). While a graduate student, Latanya Sweeney, one of the foremost privacy researchers and now a professor at Harvard, did a simple experiment. She knew the state of Massachusetts was planning on releasing the anonymized insurance records of hundreds of thousands of patients. She also knew that the state’s governor, William Weld, had just been hospitalized for collapsing during a public ceremony. Using his publicly available zip code and birth date, she found his record in moments in the insurance database (Berkeley, 2014). She then was easily able to confirm the entry was his by using his public voting record.

Remarkably easy reidentification. Could this have been so easy only because he was a public figure? Not at all. In another study, Sweeny calculated that zip code, birth date, and gender alone could re-identify as many as 87.1 percent of all Americans in most anonymous databases (Sweeny, 2000). In another experiment, she bought a fifty-dollar database from the state of Washington that contained all hospitalization records for a year. Using publicly available newspaper articles, she was able to identify the name of 43 percent of all patients in the database and match them to their sensitive hospitalization information (Sweeny, 2013).

As processing capacity grows, this re-identification becomes even easier. In 2009, Arvind Narayanan, now a top de-identification expert at Princeton, wrote on his blog 33 Bits of Entropy that a lot of traditional thinking about anonymous data relied on the fact that you can hide in a crowd that’s too big to search through. That notion completely breaks down given today’s computing power: As long as the bad guy has enough information about his target, he can simply examine every possible entry in the database and select the best match. That was with the computer power of over a decade ago.

The ease and power of the re-identification process is illustrated by the actors who work in a parallel industry to data miners: data brokers. Data brokers assemble files with the actual names (and often emails, phone numbers, addresses and social media accounts) of millions of Americans along with their personal attributes. They collect your medical information from a range of sources including public records, surveys, social media, loyalty programs, and commercial data such as magazine subscription lists. They can also track your activity online and use algorithms to deduce many things about you, such as your educational level, marital status, net worth, and race. A website with lists of offerings from data brokers (compiled by Adam Tanner in his excellent report for the Century Foundation in 2017) includes:

•People with cancer by state

•Booming boomers with erectile dysfunction

•Bladder control product buyers list

•Heart disease sufferers email/postal/phone mailing list

•STD mater (or mature singles that may have a sexually transmitted disease)

Can you imagine appearing on such a list? Or having one of your family members appear on one? You’ll likely be advertised to for these medical conditions you may be trying to hide.

But even if you remain off such a list, there’s little doubt that many others are tapping into data brokers’ files and using them to augment what they know about you. Insurers, for instance, will often assess things like your online purchases, what you post on social media, and how much time you spend watching TV.

This information can be remarkably valuable when fed into an algorithm to predict your cost of medical care. For instance, do you buy plus-sized pants? Many algorithms will peg you as potentially having depression (valuable information given high mental health costs). Or are you a woman who just changed your name? The algorithms will likely flag you for high future health spending, as you likely a) just got married and may get pregnant soon or b) are anxious and stressed due to a recent divorce (both quite costly).

Insurers routinely harvest this data for a variety of uses, the most important being pricing health insurance plans or potentially charging higher premiums in your area (Allen, 2018). Insurers are free to discriminate against you based on this information because it isn’t technically health information as understood under HIPAA. We have a health privacy machine that’s in crisis, explains Frank Pasquale, a professor at the University of Maryland Carey School of Law who specializes in this topic. We have a law, [HIPAA], that only covers one source of health information, he notes, and the insurers and data brokers are rapidly developing another source (Allen, 2018).

All of this activity is perhaps most frightening because it happens in the background. You may never know about what information impacts decisions as important as the price you pay for health insurance. On a larger scale, insurers are routinely using data to determine if they want to offer coverage to a particular neighborhood or population, based on what they expect would be the cost of that population’s health conditions and what the margins are to cover them. So, these hidden datasets and algorithms may determine how many health insurers you can buy from and the price you pay in your area. God forbid you live on the wrong street these days, one salesman from a data broker company joked to NPR around this zip code-based mining in 2018. You’re going to get lumped in with a lot of bad things (Allen, 2018).

Not all threats to data privacy are covert, however. Rather, millions of us are also explicitly sharing our most intimate and private health data with private companies, often without a second thought. Use a health app on your phone? None of the data you enter is protected through HIPAA.

Companies can do whatever they want with the data they collect on you, including personal details like the last time you had sex, your dates of ovulation, your weight, your moods, or any one of thousands of other data points that many Americans use apps to track routinely. Most often, they sell that data to other companies that will target advertising to you based upon it. For instance, Sam Schechner and Mark Secada at the Wall Street Journal in 2019 investigated the most common apps on the Apple Store and found that at least eleven were sharing personal health data with companies on Facebook to target advertising. Apps tracking highly personal data like dates of ovulation were matched to real Facebook profiles to sell targeted ads for expectant mothers and new parents, for example.

It’s overwhelming. As W. Nicholson Price and I. Glenn Cohen, two of the most prominent health privacy law thinkers, summarize in a seminal piece about the state of health privacy today, the fundamental problem is that the majority of health data is not covered by HIPAA at all. Today, the type of data sources covered by HIPAA are but a small part of a larger health data ecosystem. HIPAA does not cover healthcare data generated outside of [hospitals and doctor’s offices] (Price and Cohen, 2019).

In essence, it doesn’t cover health (as opposed to healthcare) data generated by myriad people or products. It doesn’t cover user-generated information about health, such as the use of a blood-sugar-tracking smartphone app or a set of Google searches about particular symptoms or insurance coverage for serious disorders. And it certainly doesn’t cover the huge volume of data that is not about health at all but permits inferences about health—such as when the information about a shopper’s Target purchases famously revealed her pregnancy (Price and Cohen, 2019).

Even the health information that is protected, such as your records from your local hospital, are vulnerable to the increasing number of cyberattacks mentioned at the beginning of this chapter. They are also at risk from the whims and fallibilities of every healthcare worker with access to these records. In one survey