Medical Privacy

CONTENTS:                                                                                factsheet                        Direct url: privacy.globe1234.com
A. No Privacy Online or Shopping
B. Frequent Breaches by Doctors, Hospitals, Insurers, Governments
C. Electronic Medical Records
D. Many Releases Are Allowed by Law
E. Damages and Alternatives
F. Comparison of Lists of Data Breaches


A. No Privacy Online or Shopping

Patients' web browsing, purchases and social media comments often reveal their diseases. A good poster and study show how hundreds of data brokers buy this health information and spread it widely. Books include Our Bodies Our Data 2017,  Dragnet Nation 2015, What Stays in Vegas 2014. A 2018 review is in The Guardian.

Articles by the Wall Street Journal and Abine (which sells anti-tracking software) explain how trackers get information from your browser. The Wall Street Journal's reporters found their own paper's site was unintentionally sending email addresses, real names, gender, birth year and other data to three companies along with IP address, until the reporters discovered the leaks. If a sophisticated company, which knows the value of its data, unintentionally sent the data out free, the problem must be widespread. Once a data broker gets this link of real name with IP address, they can link that name to all their other data about that IP address. The FTC confirms that companies sell massive data for matching with IP address, while pretending that data are anonymous.

Data brokers comb such releases to see the names which use each IP address, and keep those names on file. Thus in homes with a fixed IP address, no browsing is anonymous. At businesses where many users share IP addresses, the brokers can't always identify people, but they can track the web use of the business overall, and thus its plans. Top executives or departments may have distinctive browsers (e.g. presence or absence of cookies, use of certain websites), so they would stand out from the company as a whole.

Facebook, LinkedIn and other advertising networks also link information from your contacts.

A 2017 study found that a list of the URLs you visit can be matched to you, even after IP address is suppressed, by:

• ​matching URLs in the list with domains you mentioned on Twitter or other social media at the same time. About 10 domains and timestamps are usually enough to identify someone uniquely.
• matching URLs of videos you watched with public lists of videos liked, or reviewed
• looking for administrative ids at some social media sites which are only visible to you as a user, and show up in the list of URLs.

After identifying you, they know you also visited all the other URLs in the list, including diseases, doctors, articles you were interested in, etc. Your browsing history is tracked not just by cookies on the web, but also by your browser, its plugins, and your internet service provider. The authors say privacy can be protected by using "Rotating proxy servers (n >> 1) e.g. TOR or a VPN with rotating exit nodes [and] Client-side blocking of trackers" ​Article and slide show.
​
Conversations in public places are also subject to electronic eavesdropping, and to security cameras' facial recognition tracking, since laws generally allow no expectation of privacy in a public place.

Another article here compares tracking and privacy on sites where consumers review doctors. The table below summarizes tracking software on these and other medical sites. The trackers tell data companies what diseases and treatments each person is researching.

• Oracle (formerly BlueKai) has profiles on 700 million people and companies, covering 30,000 topics.
• Acxiom (with top political connections) has "hundreds of measures available about individuals." It says it can reach customers "across direct mail, display, email, social and TV. This match data..." It lost 1.6 billion records to one hacker in 137 intrusions over 7 months, which the FBI discovered when investigating an earlier hacker.
• Another data broker, LexisNexis, claims "the largest and most comprehensive base of public and proprietary information available today. We leverage approximately 37 billion public and proprietary records."
• IDI (Interactive Data Intelligence), according to Bloomberg, "profiles include all known addresses, phone numbers, and e-mail addresses; every piece of property ever bought or sold, plus related mortgages; past and present vehicles owned; criminal citations, from speeding tickets on up; voter registration; hunting permits; and names and phone numbers of neighbors. The reports also include photos of cars taken by private companies using automated license plate readers—billions of snapshots tagged with GPS coordinates and time stamps to help PIs [private investigators] surveil people or bust alibis. IDI also runs two coupon websites, allamericansavings.com and samplesandsavings.com, that collect purchasing and behavioral data ... [which ask for] arthritis, asthma, diabetes, or depression, ostensibly to help tailor its discounts." One partner in IDI with deep pockets is "billionaire health-care investor Phillip Frost."
• IBM has detailed health care data on 300 million US patients from electronic health records, health insurance claims, imaging, genetics, medical health data, all of which they put in their Watson supercomputer.
• IMS Health and Symphony Health specialize in medical data, including prescription records from 3/4 of US retail pharmacies.
• Verizon and AT&T have worked on tracking all mobile web browsing with their phones.
• Apps of all types can sell records of where you go.
• Your activity on social media is also analyzed and sold to anyone, including government or private companies investigating you or your contacts. Courts say there's no expectation of privacy when you post things for your friends, since copying is so easy.
• Privacy statements on websites are complex. Tosdr.org and UseablePrivacy.org highlight some of the issues.
• You can see your information at some brokers, and opt out of some. The Future of Privacy Forum and Patient Privacy Rights discuss issues. Patient Pr

Hospitals buy similar information to know even more about their patients.

Most websites track their users. To reduce this tracking, Chrome, Epic, Firefox, Opera and Tor can delete all cookies at the end of each session. Epic, Tor and virtual private networks minimize access to your IP address (though ads may reveal you anyway). Epic, AVG, Blur (formerly DoNotTrackMe) and Disconnect.me block trackers.

Number of Trackers on Each Medical Site (descriptions of trackers are available)

B. Frequent Breaches by Doctors, Hospitals, Insurers, Governments 

HIPAA forbids release of personal health data from health providers, health insurers and clearinghouses (with exceptions below). From 2003-2013, medical records were released improperly in 116,000 incidents. Most affected 1-499 people, and these incidents are not listed publicly.

​There is little enforcement. Breaches come from hackers, and from inside staff. Corporate changes are especially dangerous, including mergers, divestitures, buyouts, downsizing, etc., when data can be "accidentally transferred."

From 2003-2012 federal enforcers investigated 18,559 of the cases of noncompliance that people complained about, and resolved these cases "by requiring covered entities to take corrective actions and/or provided technical assistance to covered entities to resolve indications of noncompliance" (p.7). They had money penalties in up to 21 cases, totaling $25 million.

The federal government lists 1,300 incidents (if offline, see April 2014 copy). In each of these incidents 500 to 5 million medical records were released improperly, totaling 31,300,000 people, 5% paper and 95% electronic. Most were breached by stealing a computer or smart phone with unencrypted patient records. However a record fine, $4.8 million, was for accidental internet release of 6,800 patients' records ($700/patient) when a network computer was deactivated. The federal site does not yet include cases which are still under investigation, such as 80 million records taken from Anthem, announced in February 2015 (38 million customers and 42 million former customers).

A spreadsheet lists and counts the biggest medical incidents by state, year and type (paper, laptop, etc). HHS also lists statistics and examples of cases. You can search guidance, or get email announcements on medical privacy.

The list does not classify entities which leaked data, but the list shows primarily hospitals, medical groups, insurers, public health departments, and their contractors.

The FBI warned in 2014 that the health industry was very vulnerable to cyber attacks. A consultant analyzes the problems, with good examples. 

C. Electronic Medical Records

A few good electronic systems show key information clearly in the way that each clinician needs it, and are rare, because hospitals have complex flows of information.

• Even the worst systems store information more accessibly than thick paper binders of: records, test results, prescriptions, notes from specialists, etc. 
• Systems do not create a simple 1-page summary of a complex patient, in the way that a wise patient does.
• Only some health care sites use standard computer protections:

1. Antivirus/malware protection: 85% of hospitals and 90% of doctor's offices
2. Firewalls: 78% 90%
3. Data encryption (data in transit): 68% 48%
4. Audit logs of each access to patient health and financial records:  60% 61%
5. Data encryption (data at rest):  61% 48%
6. System to ensure all updates and patches are installed:  61% 42%
7. Intrusion detection systems (IDS):  57% 42%
8. Network monitoring tools: 55% 45%

• Even the best systems do not send the doctor's orders, prescriptions and test results to patient, caregiver and outside doctors treating the patient. 
• Hospital patients don't get the same daily printouts of lab tests that doctors get, but have to ask busy nurses to print out results, which are not as well formatted as the doctors' versions. 
• While systems send new prescriptions to outside pharmacies, they do not instruct the outside pharmacy to cease automatic renewal of terminated prescriptions. 
• Data cannot transfer easily between electronic systems from different vendors (in the way that .doc, .html and .csv files transfer among computer programs). 
• The policy drive for electronic records makes it easier to breach privacy on large numbers of records, by accident or by theft. Electronic systems are insecure (like business, or security software, or NSA; even the VA has 4,000 vulnerabilities). 

Politico has summarized widespread dissatisfaction. Bad systems are not read by clinicians, are full of errors, generate erroneous prescriptions, and interrupt doctors when listening to patients (though one doctor uses a 32" monitor on the wall to discuss everything with patients). The Boston Globe reports deaths and errors from electronic records, accompanied by government decisions not to require reporting of such errors. Note that deaths and errors can also come from paper systems, and reporting has not been any better for those errors. The difference is scale, as in the old adage, "To err is human, to really mess things up requires a computer."

Federal standards for electronic systems do not protect privacy as required by law: "The more stringent rule requires patient consent before a patient's healthcare information about drug or alcohol abuse treatment can be shared with another provider or health information exchange, even for treatment... Thus far, the federal EHR incentive payment program has ignored this requirement when it has set technical standards for EHR vendors to meet in the first two editions of software that must be tested and certified for use by healthcare providers in Stage 1 and Stage 2 of the program." 

7% of doctors do not have electronic record systems and do not plan to get them. 22% plan such limited use that they will be penalized by Medicare. 70% of doctors find electronic records decrease face time with patients. 48% or more worry about patient privacy, including 38% who worry about hacking. The main reasons doctors do not use them include 40% who believe they interfere with the doctor-patient relationship, 29% who believe they make medicine too mechanical, and 28% who worry about patient privacy.

The most widely used systems are Epic (23% of doctors), Cerner (9%) and Allscripts (8%), primarily because they are widely chosen by hospitals. These are rated by doctors as the 7th, 15th and 14th best systems. All 3 are listed by the Boston Globe as having high officials donating to or working for the Obama administration.

Doctors rate highest the Veterans Administration system (VA-CPRS), Practice Fusion, and Amazing Charts. However most doctors have not used many systems, and it is hard for a practice to switch systems after the cost of entering patient data into one. Among the few doctors who know the cost, over half say their systems cost over $50,000 per doctor to buy and install.

D. Many Releases Are Allowed by Law

Many outsiders can obtain medical records legally. Privacy laws allow release  (without patient authorization) for: 

Spies
Auditors 
Inspectors
Investigators
Licensing bureaus
Secret Service
Targets of threats
Organ banks
Coroners
Medical examiners
Funeral directors
Subpoena
Summons 
Other medical staff

Family & friends when relevant to their involvement or payments
People at risk of communicable disease
Public health agencies (including foreign)
Social services agency to help victims of abuse
Discovery requests (e.g. divorce)
Emergency preparedness (NYTimes story)
Military commanders (about service members)
Prisons (about prisoners)
Police and any other law enforcement
Researchers on anonymous data, or onsite, or on the dead, or locally approved
Workers' compensation purposes 
Food and drug businesses approved by FDA (to monitor side effects)
Employer for "medical surveillance of the workplace and work-related illnesses" if employer requested any care

All medical records can be subpoenaed, as explained by ABA, Massachusetts Bar, Iowa Medical Society, and a liability insurer. Electronic records are cheaper to subpoena than paper records, since copying is cheaper. 

Federal rules of evidence do not protect doctor-patient confidentiality in federal courts, though most state courts do. Federal prosecutors use their access to private health care data in prosecutions.

Disclosures have the same limits for 50 years after death.

The following organizations do not have to follow the Privacy and Security Rules for data they have. A good poster and study show how hundreds of data brokers buy this health information and spread it widely.

• online shopping sites (know what health items you bought)
• credit card companies
• social networks (know your messages about your and your friends' health)
• life insurers
• employers
• workers compensation carriers
• most schools and school districts
• many state agencies like child protective service agencies
• most law enforcement agencies
• many municipal offices
• health care providers small enough that they don't electronically send health insurance claims and eligibility to insurance companies

Disclosure rules are stricter on substance abuse, though the government loosened those rules in January 2017 to ease its efforts at letting many providers share information on patients. They have been criticized both for too much control, and for making patient release forms too hard for patients to understand.

Disclosure rules are also strict on mental illness, and the government plans to loosen them to keep mental patients from access to guns.

An article shows practical barriers to carrying out the law and suggests more access for relatives. A longer explanation of medical privacy is at the Privacy Rights Clearinghouse.

HHS lets information be released if the following are removed: patient/relatives/employers' names, ID numbers, addresses except state or 3-digit zip with 20,000+ people, IP addresses, URLs, equipment numbers, months and days of any event, and years over 90 years ago (so people 90 and older are grouped), biometric identifiers (e.g. finger/voice prints), "full-face photographs and any comparable images, Any other unique identifying number, characteristic, or code," such as dental charts. Even these can be released if a statistical expert certifies a "very small" risk of identifying people. Lawyers say the expert approach is common, though I cannot imagine an expert saying that releasing more is safe. Even the HHS list does not protect privacy: it allows records with your age, doctor names, and diagnoses by year, which data brokers can compare to your social media postings. Movers can be identified by a series of 3-digit zip codes.

Medicare itself releases individual patient records to researchers who get approval and sign a data use agreement. The data use agreement refers to other documents for computer security, does not specifically cover access to, or deletion of backup systems, locking of offices and cars, etc.

E. Damages and Alternatives

An extensive article in Politico says hackers can sell medical records for hundreds of dollars, and people use them to get prescription drugs for resale. A 2013 article in Wired said companies with big business outside health care, like Google were leaving the business of patient data to avoid liability when things go wrong. A 2015 article said 2 Google subsidiaries were producing health care inventions.

The government rarely imposes penalties for privacy breaches, and it is hard for individuals to sue for damages, though they may claim deceptive privacy statements, or other grounds.

A legal review points out, "Trusted insiders often are granted access to an organization’s most sensitive data without a proper understanding of the information security policies and procedures that govern usage... Employees should be aware of common attack vectors specific to their industry, and they should be provided with examples of attempted or successful attacks on their company and on similar organizations... Putting employees through regular mock breach scenarios can be a good way to determine the adequacy of response times and to evaluate existing procedures."

An ID company warns about keeping your purse or wallet secure when you strip for a medical procedure, by giving it to a friend or asking for it to be locked up, or entrusting it to a staff member you trust

In Dominica each patient carries his/her own medical record, creating an incentive to maximize involvement, availability and security.

F. Comparison of Lists of Data Breaches

• All lists omit the many breaches, large and small, which companies fail to report.
  
• As noted above the federal HHS list covers medical breaches affecting 500 or more people and does not yet include cases which are still under investigation.
• National lists (pdf) of medical and non-medical breaches as soon as they are reported by government or press, and no matter what the size, are at the ID Theft Resource Center, sponsored by a company which sells services for ID theft prevention and recovery. Each year the "Breach Stats Report" is a compact list of key facts on each breach, while the "Breach Report" has more detail when available. Often the initial listing from press reports does not show the number of people affected, but the site inserts it later if the number becomes available in followup reports or the HHS site. Breaches which appear on the CA Attorney General site must be over 500, but the ID Theft Resource Center site does not update with just that information.
• The CA Attorney General, lists all breaches which affect 500 or more Californians, as soon as a notification letter is sent to people affected. It includes many national breaches, which affect 500 Californians. It does not always show who caused the breach, for example when a bank tells people that a merchant lost credit credit card data, it shows the bank, not always the merchant.
• Massachusetts lists all breaches which affected any Massachusetts residents since Nov 2007. It shows whether the breach included social security number, driver's license, account number,  and if data were encrypted (almost never). Like other lists it does not show whether the breach happened at the place which reported it, or for example at a merchant losing credit card data. It is incomplete, because there is no enforcement.
• Washington State lists breaches which affect 500 or more Washington residents.
• Oregon lists breaches which affect 250 or more Oregon residents.