90.9 WBUR - Boston's NPR news station
Top Stories:

(Lefteris Pitarakis/AP)

It was almost child’s play.

Using a computer, an Internet connection and information available publicly online, researchers from the Whitehead Institute at MIT were able to figure out the identities of nearly 50 people who had submitted personal genetic information for a research study — information that purportedly had been “de-identified” so as to protect the subjects privacy.

Cracking the supposedly secret code turned out to be ridiculously simple, Yaniv Erlich, a Whitehead human genetics researcher, told the New York Times. “Oh, my God, we really did this. I had to digest it. We had so much information.” Erlich’s team quickly told the National Institutes of Health about the vulnerability of the information. The agency has taken steps to make re-identifying research subjects harder to do.

There is no way to protect your privacy today except to pay cash to a doctor who will keep your records on paper.

– Dr. Deborah C. Peel, Patient Privacy Rights Foundation

Great. But there’s a big issue of trust here. With this latest “Oops!” moment in the world of “Internet privacy,” that term itself seems well on its way to becoming an oxymoron. Particularly for health information.

No one is more concerned about this than Texas psychiatrist Dr. Deborah C. Peel, head of the Patient Privacy Rights Foundation. “We are actually in a very bad situation,” she told me by phone last week. “There is no way to protect your privacy today except to pay cash to a doctor who will keep your records on paper.”

For the record, Peel truly believes that there are many benefits to doctors, hospitals, insurers and researchers sharing information about patients and research subjects, for both the individual and the common good.

“The benefits of health technology systems are clear. We all know that. The problem is, we don’t know anything about the risks, about who has the data,” she said. In other words, it is unfair to ask people to balance the risks and benefits of electronic record sharing if they don’t know what the risks are. As it is now, she added, “everyone sells health data because it is so valuable. We live in a surveillance economy and the most valuable information is health information.”

At Harvard, a medical informatics specialist Latanya Sweeney runs the Data Privacy Lab and is working on a so-called DataMap. Personal health data can now be sent in an instant to growing numbers of people and organizations.

In fact, as an ABC investigation reported last fall, “millions of records can be bought online.”

To be fair, there are some decent souls inside the health care system trying to protect health privacy, among them Dr. John Halamka, chief information officer at Beth Israel Deaconess Medical Center. And Halamka is reasonably upbeat about the possibility of protecting data security.

On January 17, he told me, new HIPAA regulations were released that are designed to enhance health privacy. (HIPAA stands for the Health Insurance Portability and Accountability Act, originally passed in 1996.)

With the new regulations in place, huge fines ($1.5 million a year) will accrue to any hospital — or other organization in the chain of groups receiving personal health data — that fails to adequately protect data security. Ideally, this could mean that nobody will be able to sell my personal health information to anybody else without incurring the huge fine. But the 563 pages of regulations are so complex, the effect may not do what Congress intended.

Will it work? Will these new protections be strong enough? I hope so. But frankly, I doubt it.

For one thing, we’ve seen too many hackers getting into big data bases. Nothing is that secure on the Internet. Besides, a $1.5 million fine for heatlh privacy offenders? That could be chump change, just the cost of doing business, for unscrupulous groups seeking to profit from your health data. And mine.


Tags: Women's Health

The views and opinions expressed in this piece are solely those of the writer and do not in any way reflect the views of WBUR management or its employees.

Please follow our community rules when engaging in comment discussion on this site.
  • Jasoturner

    The title suggests that people think electronic records are safe, which I suspect may not be true. We’ve seen all sorts of secure system hacked. We’ve seen industrial controllers highjacked. There should be little reason to believe that medical records will be an exception and vendors will conjure up a foolproof/hackerproof security solution that others have missed.

    Let’s just hope smart people are thinking about how we can prevent such information from being used to discriminate against individuals in the future.

  • http://twitter.com/privacyusa Tony Phelps

    Actually, I just wrapped a blog post up covering several instances of physical records being found in dumpsters and recycling centers. Why hack when you can dumpster-dive.