Companies gathering and selling consumer data is commonplace nowadays. But what if your medical records were for sale as well? A new book shows how trading patient data has evolved into a multi-billion-dollar industry.
Journalist and educator Adam Tanner has covered the pharma industry, personal data collection and consumer privacy since 2012. In his new book "Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records," the former Reuters correspondent writes how middleman companies connecting pharmacies, doctors, hospitals and insurance companies are making huge profits by selling anonymized personal details about health consumers' medical conditions.
DW: How you did you discover that medical data is being traded without patients' knowledge?
Adam Tanner: I wrote a book that came out in 2014 called "What Stays in Vegas," which is about how companies gather information about you and use it to sell you things. As I was exploring the dark side of this practice, I began to look at what happens with our medical data. And I was quite surprised to learn that there's this extensive trade that's almost completely hidden from the general public.
Your medical tests, hospital exit records, doctor notes, pharmacy records - all of this sensitive information is collected and sold by commercial companies. Your name may be removed, but there's other intimate information about you that's collected over time, put into a dossier and that eventually becomes a commercial product.
Such digitized details may only be worth a few pennies per transaction, but when repeated billions of times, they become not only big data, but big business. Selling medical data is a global, multi-billion dollar industry.
What else should the public know about this industry?
There are many good people working in this field. By and large, however, the business is about promoting drug companies' products. It's not about science but sales and marketing. I think people would be wary to see so much information about them circulating.
There should be a public discussion: Are we comfortable with this trade? Are there certain limitations we want to put on societies to protect the privacy of patient data? One of the things that surprised me is how widespread this is in many different countries, including in Europe, where people think they have stronger data privacy protections.
Can you say more about your research in Germany?
German-born Ludwig Wolfgang Frohlich founded IMS Health, the world’s dominant health care data miner
The largest of the data miners, those companies that gather, buy and sell medical information, has its origins in Germany.
Ludwig Wolfgang Frohlich came to the United States in the 1930s and started a medical advertising agency. Anyone who has seen the television show "Mad Men" would be familiar with this world of New York advertising in the 1950s and 60s. He then founded IMS Health.
Frohlich was a man who had many secrets, including his German-Jewish background and his sexual orientation, which he kept even from his closest friends and associates. I also found out that he was in secret collusion with his main rival in New York City. The two of them started IMS Health clandestinely. So it is interesting that there has been secrecy in this world of patient and medical data from its very origins in the 1950s.
How come the general public has known so little about patient data trading until now?
Since the companies make a lot of money trading it, there's no real gain for them to be transparent about what's happening. A lot of people have a vested interest in this information not being widely advertised to the patients.
The fear of some of the executives I've talked to is that the public wouldn't understand it or be opposed to it. I believe patients donating their data for science and for research is a good thing, but patients should be able to decide for themselves where they want their medical data to go.
Can you describe how companies like IMS Health operate and what implications their practice has?
IMS Health and its rivals, which include IBM Watson, LexisNexis and other fairly well-known companies, buy from pharmacies and middlemen that connect doctors' offices to insurance and pharmaceutical companies as well as other players looking for insights into the medical marketplace and ways to better promote their drugs.
A possible danger of this is that your patient file might include only metadata, in other words no intimate medical information like your name, where you've lived, the name of your doctor and so on. But companies might be able to re-identify you regardless.
For his book, Tanner examined thousands of archival documents and interviewed hundreds of industry insiders from the United States, Europe, Japan and Korea
Take me for example. I'm teaching for a year in Alaska right now. Before that, I lived in Cambridge, Massachusetts for five years, and in Belgrade, Serbia before that. If you only knew where I had medical prescriptions over those years, you have a pretty good chance of identifying me, for I might be the only male person in my age in those cities in those years.
The danger is that someone could use this information to discriminate against you, such as denying you life insurance, reject you for a job or even blackmail you. This so-called medical hacking is on the rise worldwide.
Are we only seeing the tip of the iceberg?
As I mentioned, it's a multi-billion dollar business. After last year's merger, IMS Health is now a 20 billion dollar company called Quintiles IMS. Big US pharmacies sell their data for tens of millions of dollars, and even labs are selling their data for millions.
Given the fact that big data in medicine hasn't led to amazing breakthroughs so far, I think we need to pay more attention to the privacy implications of this big commercial trade.
What are some key developments that have affected the medical data business?
Beginning in the 1980s, it became commonplace for the pharmaceutical industry to track doctors' prescribing habits. Other key developments include the lawsuit against IMS Health that started in Vermont with the intention of limiting data miners' activities and ended up in the Supreme Court.
There's also the rise of electronic prescriptions and the digitizing of health records, which is still communicated in a babble of different languages, which cripples patients' ability to access their lifetime records. By acquiescing to an unfettered commercial trade in anonymized data, HIPAA [the Health Insurance Portability and Accountability Act of 1996] has allowed a vast market for intimate information to evolve in ways that may lessen patient trust in the healthcare system.
What are some other goals you are hoping to accomplish with the book?
I wrote "Our Bodies, Our Data" hoping that people will engage in a discussion and find out if it's safe for outside companies to trade our medical information in this way. If your name is taken off the data and certain procedures are followed in the United States, they can freely trade it - even if it's a blood test that says you have cancer.
Patients should have the right to determine the fate of their data, whether or not it's anonymized. In countries with a national health system, as you often see in Europe, there may be other ways to best contribute that data to science and protect privacy.
I'd also like to spur a debate about whether different people are the best repositories of national data. In Scandinavia, for example, various repositories are available for scientists to study diseases and try to come up with new cures.
Also, if we don't know that there is a big trade with our data, it's hard to talk intelligently about it. It also makes it difficult to come up with the best and most secure solution that helps protect our privacy and allows science to advance at the same time.
How is this possible in a country like Germany, where strict patient privacy laws govern the use of this data? Is the practice illegal?
In all the different countries I looked at, trading patient data is legal as long as it is anonymized to certain standards. In Japan it's a gray zone - nobody knows exactly whether it's legal or not, but it's not formally illegal.
So even within the industry, it's something that many people don't understand. You may be protected in some European countries and in certain cases, but people often sign away the rights without realizing it because they don't read the fine print.
Adam Tanner is writer-in-residence at Harvard and the author of "What Stays in Vegas: The World of Personal Data - Lifeblood of Big Business - and the End of Privacy as We Know It." Tanner, who served as a Reuters correspondent from 1995 to 2011, has written for magazines including Scientific American, Forbes, Fortune, MIT Technology Review and Slate. For the 2016/17 academic year, he is the Snedden Chair in Journalism at the University of Alaska Fairbanks.