Tip Sheets

Tips for covering the hidden trade in patient data

By Adam Tanner

Five years ago I began researching the my book "What Stays in Vegas: The World of Personal Data - Lifeblood of Big Business - and the End of Privacy as We Know It." Initially, I thought I could cover the business of patient data in a single chapter. Yet the opaque trade proved so hard to unravel that it took another two years of research and led to another book, "Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records."

The big health data bazaar is complicated but fascinating, and one worthy of further reporting as society grapples with the balance between allowing patients to control their own data, and allowing outsiders to study it to advance commerce and science.

In broad terms, the trade consists of the following categories:

Overview of the Trade in Patient Data

Anonymized Patient Information. HIPAA allows doctors’ offices, pharmacies, testing labs, insurers and middlemen to sell patient information provided it is de-identified to certain standards. Health care providers do not have to inform patients or seek their consent.

Data mining companies such as QuintilesIMS and Symphony Health use these details to create anonymized dossiers on hundreds of millions of patients, as well as named dossiers on their doctors. Pharmaceutical companies use such details to market drugs, and say the data will also help advance science.

Data miners say trade in anonymized data poses no risk to individuals. Yet data scientists say computing advances make it increasingly possible to re-identify anonymized patients. For example, a recent study at Harvard (where Latanya Sweeney is a top expert in the field) re-identified South Korean national ID numbers a middleman firm had sold to QuintilesIMS.

Named Patient Information. Companies also buy and sell identified patient data – name, address, phone number, email and medical conditions – for marketing purposes. Such details come from social media, fitness apps, surveys, magazine subscriptions, public records, the Internet of things and other sources not covered by HIPAA.

Mixing Anonymized and Named Information: Some data firms specialize in mixing anonymized and named information to create profiles of those most likely to suffer from certain diseases. This technique, called propensity modeling, allows companies to buy named lists of consumers to market medicine to them directly. Firms in this field include Crossix and Medicx.

Why We Care

The trade in patient medical data is a multi-billion dollar business. QuintilesIMS alone is worth nearly $20 billion. As the trade grows such patient information risks causing someone great embarrassment or discrimination. Recent discussion about the possible existence of a secret dossier about President Donald Trump highlights the ever-growing danger of adversaries using personal data as a tool. Medical data represents some of the most intimate and potentially damaging information about a person.  A good resource on this issue is Deborah Peel, M.D., founder of Patient Privacy Rights.

Key Questions and Regions in the Patient Data Business

Key questions for journalists to ask include:

  • Do patients, doctors, nurses, pharmacists and others in their community know about the trade in patient data and how do they feel about it?

  • How are local research institutions using anonymized patient data, and what are the results?

  • Are local companies selling in the big health data bazaar?

Reporters should also seek to document cases in which employers or marketers are using such information to discriminate against individuals.

Important cities and states in the big health data bazaar include headquarters of drug companies such as Pfizer (NYC), Merck (Whitehouse Station, N.J.), Eli Lilly (Indianapolis), and Abbott (Abbot Park, Ill.); as well as leading medical research regions such as the San Francisco Bay Area, Boston/Cambridge, San Diego, Baltimore/Suburban DC, NYC, Philadelphia, Raleigh-Durham, Los Angeles/Orange County, Chicago, New Jersey, Minneapolis, Houston, Cleveland, Pittsburg, Milwaukee, Denver, Kansas City and Dallas.

Final Thought

The trade in patient data can be difficult to report because many companies are reluctant to discuss these activities. Yet the threat to patients from these commercial operations is growing – as are potential gains – making it an essential topic.

Adam Tanner (@DataCurtain) is the author of the new book “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records” as well as “What Stays in Vegas: The World of Personal Data – Lifeblood of Big Business – and the End of Privacy as We Know It” (2014).