The gaping privacy hole in healthcare data is not where you think

There are many entities tracking and analyzing online and mobile app queries about health conditions—and that information can be mined by third parties for purposes that are not usually in the patient’s best interest.

In many countries, protecting the privacy of a patient’s healthcare data is the prime directive. Healthcare data is considered to be the most private of all private information. Yet big data collectors have managed to find ways around privacy laws such as HIPAA, and are reaping huge amounts of sensitive health information with impunity.   

In some cases, they do so by inferring medical conditions from other data, such as social media posts, or from GPS tracking data that shows an individual regularly going to a cancer clinic or other specialized medical institution. But in other instances they have surprisingly done so with the apparent aid and approval of traditional healthcare organizations, albeit sometimes by accident.

Where the health data comes from 

According to the Pew Internet Project, the majority of U.S. Internet users (72%) look up health information online, as do 52% of smartphone users and 31% of cell phone owners. Nineteen percent of U.S. smartphone users have also downloaded a health tracking or health management app. This scenario is likely to be the same or similar across many countries.

Anyone possessing even an inkling of how invasive most big data collectors are can readily discern that online and app tracking is a given in this day and age. Therefore, it should come as no surprise that there are many entities tracking and analyzing people's online and mobile app queries about health conditions.

But even when people try to be careful—say by going to a reputable organization’s website to seek medical information, and thereby avoid giving up private information—that information also ends up being mined by third parties for purposes that are not usually in the patient’s best interest.

“An astonishing number of the pages we visit to learn about private health concerns—confidentially, we assume—are tracking our queries, sending the sensitive data to third party corporations, even shipping the information directly to the same brokers who monitor our credit scores,” writes Brian Merchant in a post at Motherboard. “It’s happening for profit, for an ‘improved user experience,’ and because developers have flocked to ‘free’ plugins and tools provided by data-vacuuming companies.”

“This isn’t just commercial sites who need to turn a profit, these are organizations you trust: the government, non-profits, universities,” Merchant reported that Timothy Libert, a researcher at the University of Pennsylvania, told him.

From the CDC to WebMD – 9 out of 10 healthcare pages leak private data

Libert analyzed over 80,000 webpages on healthcare websites and found that:

“nine out of ten visits result in personal health information being leaked to third parties, including online advertisers and data brokers.”

You can read a February 2015 press release on his findings for a quick recap, or read the article Libert wrote titled “Privacy Implications of Health Information Seeking on the Web” published in the March 2015 issue of Communication of the ACM.

Healthcare data leaked in this way can be used by criminals, or it can be used to discriminate against individuals in everything from credit scores and employment to bank loans and home mortgages—and in other ways too.

Watch this short video by Libert on how this happening, what it means to individuals, and what needs to be done to correct the situation.

Source: YouTube

What healthcare providers should do to avoid liability for healthcare data leaks on websites

Libert says that:

“the Federal Health Insurance Portability and Accountability Act (HIPPA) is not meant to police business practices by third party commercial entities or data brokers. The field of regulation is widely nonexistent in the U.S., meaning that individuals looking up health information online are left exposed and vulnerable.”

While this activity is not illegal at the moment, at least in the U.S., understand that it does violate the spirit of laws like HIPAA and the trust your patients and website visitors have placed on you. 

Follow the steps Libert outlined in his video. Make sure your website does not use plugins or other tools that send visitor data out to third parties. Make sure the website overall is secure and no portal or oversight exists that may serve as an open entrance for cybercriminals and data miners.

Remember that while laws in the U.S. do not currently address health data gathered from websites, that could change any day now. New laws may even be retroactive in effect. In order to avoid future liability, it’s best to plug these privacy holes now.

The nuviun industry network is intended to contribute to discussion and stimulate debate on important issues in global digital health. The views are solely those of the author.