If you want to check out what I’m doing these days, you can change channels and catch me at my other show. I recently spoke to author Adam Tanner on his new book Our Bodies, Our Data. Did you know that every time you fill a prescription at a pharmacy, the transaction data is sold to medical data brokers who then resell it to drug companies?
I didn’t, until I spoke to Adam. His new book tells the story of one such very profitable broker, IMS Health, which is based in Connecticut but has a global reach. I’ve been covering data security and privacy regulations for a few years now, and I thought I understood HIPAA, which protects our medical data, I learned there’s a small HIPAA loophole that IMS has exploited.
If the drug data is anonymized— stripped of identifiers — then it’s no longer covered by HIPAA and therefore doesn’t require consumer consent to release to a third-party data broker. IMS and other brokers receives this scrubbed drug data.
Now if the data was truly anonymized it wouldn’t be of use to the drug companies. However, the prescribing doctor’s name remains in the data. Obviously, drug companies now can target doctors whose business they want based on the medications they are prescribing. This drug sales data then is quite valuable to them.
But that leaves open the possibility of drug companies using other marketing data about you to put together scary profiles. There’s been much research in the last few year showing it’s possible to re-identity the data in cases where there’s “low entropy”— e.g., a drug that’s not often prescribed—or associate the drug information to a small pool of consumers.
And there’s the very real possibility of hackers or cybercriminals using hacked medical insurance records (Anthem and the rest) along with this drug data to blackmail high-profile individuals. Adam assures me that IMS and other brokers have not been hacked, at least as far as we know about!