It was almost child’s play.
Using a computer, an Internet connection and information available publicly online, researchers from the Whitehead Institute at MIT were able to figure out the identities of nearly 50 people who had submitted personal genetic information for a research study — information that purportedly had been “de-identified” so as to protect the subjects privacy.
Cracking the supposedly secret code turned out to be ridiculously simple, Yaniv Erlich, a Whitehead human genetics researcher, told the New York Times. “Oh, my God, we really did this. I had to digest it. We had so much information.” Erlich’s team quickly told the National Institutes of Health about the vulnerability of the information. The agency has taken steps to make re-identifying research subjects harder to do.
Great. But there’s a big issue of trust here. With this latest “Oops!” moment in the world of “Internet privacy,” that term itself seems well on its way to becoming an oxymoron. Particularly for health information.
No one is more concerned about this than Texas psychiatrist Dr. Deborah C. Peel, head of the Patient Privacy Rights Foundation. “We are actually in a very bad situation,” she told me by phone last week. “There is no way to protect your privacy today except to pay cash to a doctor who will keep your records on paper.”
For the record, Peel truly believes that there are many benefits to doctors, hospitals, insurers and researchers sharing information about patients and research subjects, for both the individual and the common good.
“The benefits of health technology systems are clear. We all know that. The problem is, we don’t know anything about the risks, about who has the data,” she said. In other words, it is unfair to ask people to balance the risks and benefits of electronic record sharing if they don’t know what the risks are. As it is now, she added, “everyone sells health data because it is so valuable. We live in a surveillance economy and the most valuable information is health information.”
At Harvard, a medical informatics specialist Latanya Sweeney runs the Data Privacy Lab and is working on a so-called DataMap. Personal health data can now be sent in an instant to growing numbers of people and organizations.
In fact, as an ABC investigation reported last fall, “millions of records can be bought online.”
To be fair, there are some decent souls inside the health care system trying to protect health privacy, among them Dr. John Halamka, chief information officer at Beth Israel Deaconess Medical Center. And Halamka is reasonably upbeat about the possibility of protecting data security.
On January 17, he told me, new HIPAA regulations were released that are designed to enhance health privacy. (HIPAA stands for the Health Insurance Portability and Accountability Act, originally passed in 1996.)
With the new regulations in place, huge fines ($1.5 million a year) will accrue to any hospital — or other organization in the chain of groups receiving personal health data — that fails to adequately protect data security. Ideally, this could mean that nobody will be able to sell my personal health information to anybody else without incurring the huge fine. But the 563 pages of regulations are so complex, the effect may not do what Congress intended.
Will it work? Will these new protections be strong enough? I hope so. But frankly, I doubt it.
For one thing, we’ve seen too many hackers getting into big data bases. Nothing is that secure on the Internet. Besides, a $1.5 million fine for heatlh privacy offenders? That could be chump change, just the cost of doing business, for unscrupulous groups seeking to profit from your health data. And mine.