Medical Records: Stored in the Cloud, Sold on the Open Market

When patients visit a physician or hospital, they know that anyone involved in providing their health care can lawfully see their medical records.

But unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.

The revelation comes in a recent New York Times article about how so-called “scrubbed” patient data isn’t as anonymous as people think. The piece focuses primarily on how anonymized data can be cross-bred with other publicly available databases, such as voting records, which subverts the anonymity.

Buried near the end of the article is the news that medical data is collected, anonymized and sold, not by insurance agencies and health care providers, but by third-party vendors who provide medical-record storage in the cloud.

<snip>
Vendors say they re-sell the data for research purposes and scrub it of identifying information first to protect patient privacy. But in 1997, Latanya Sweeney, director of the Data Privacy Lab at Carnegie Mellon University, showed how she was able to pick out the medical records of William Weld (then the governor of Massachusetts) from scrubbed medical information published by the state’s insurance commission by simply correlating the anonymized data with birthdays, ZIP codes and gender information published in the state’s voter-registration rolls.

According to Sweeney, 87 percent of the U.S. population can be uniquely identified simply from their birthdate, gender and zip code.


http://www.wired.com/threatlevel/2009/10/medicalrecords/

Privacy??? Meh!

in such records. For legitimate use of such records as health for scientific analysis and such, an age-range ought to suffice, which would leave the selection criteria worthless for identifying individuals.