Who cares about my medical records?

One question that is sometimes posed is "why would anyone want to re-identify my records?" The argument goes that if the medical records have no value to someone else, then why would anyone bother getting access to and re-identifying them?

Below are the reasons why medical records can be valuable to an intruder:

• Some medical records have financial information in them (e.g, information used for billing purposes) or information that is useful for financial fraud, for example, date of birth, address, and mother's maiden name. In some cases in the US the medical record may contain SSNs (which are often used as a unique identifier). All of this information is useful for committing financial crimes. In general, your own identity information is not worth that much in the underground market; for a self-assessment that may surprise you try this tool from Symantec: http://www.everyclickmatters.com/victim/assessment-tool.html
  
  Therefore, medical records with such information are only useful in large quantities to make it worthwhile for someone to get them and use them. This means that intruders would be interested in databases of records rather going after an individual's records.
  
  If an intruder gets a poorly de-identified database with many records and it is plausible to correctly re-identify many patients in it, then the financial incentive may result in the intruder performing this re-identification.
  
  
• Even if medical records do not have information in them that is suitable for financial fraud, if your record has information about your health insurance then it can be very valuable. Medical identity theft entails someone getting health care in your name. This is most likely to happen because a person has no insurance because they cannot afford it or because they cannot get it (illegal aliens, or individuals running from the law). A good example of that happening in Canada was described by Joe Pendleton in his presentation here: http://www.ehealthinformation.ca/documents/EHIP2008.pdf
  The basic scenario is that of Americans who cannot afford certain procedures or are unable to get insurance would buy Canadian identities with health coverage, and come to Canada to have these procedures done. Also, Canadian health insurance numbers are useful for illegal aliens who cannot obtain it legitimately under their own identity.
  
  
• If you ever become of interest to the media and they want to do a story on you or your family, then reporters may be interested in re-identifying records about you. An example of that happening (as documented in court documents) is the CBC re-identifying a patient who died while taking an acne drug by matching Health Canada's adverse drug report data with obituaries. In this case the CBC wanted to do a story about the drug, and the 26 year old girl's death was central to the message that the drug was harmful, so they needed to contact the family. They found multiple matches in the obituaries and contacted them all until the correct girl's family was found and they had their story. However, in discussions with various members of the media my understanding is that if they put a radio or newspaper ad asking people to tell them about certain events, many members of the public self reveal themselves to the media or tell about their neighbors and family. Therefore, from a re-identification perspective, the media can gather background information about you easily by getting people who know you to provide them with that information.
  
  
• Medical records are a good source of revenue if you are in the extortion business. One example is Express Scripts which lost a large database of customer data. Here is the initial news story: http://www.ehealthinformation.ca/blogs/extortion_plot_threatens.mht
  Basically, the company was using production data for software testing, and there was a breach on the testing side of the business. Unfortunately, using production data for testing is common. In any case, the initial extortion attempt was based on the breach of 75 records. It turns out later that 700,000 individuals may have been affected by the breach: http://www.computerworld.com/s/article/9138723/Express_Scripts_700_000_notified_after_extortion (archived here: http://www.webcitation.org/5kfHDTBZq). In this case it is not clear how much the extortionists are requesting.
  
  Here is another recent extortion attempt of medical records where the extortionist has requested $10m: http://ehip.blogs.com/ehip/2009/05/hacker-threatens-to-expose-health-data-demands-10m.html
  
  
• Even if there is no financial impact, some people feel violated if there is a breach of privacy of their medical information and change their behavior by adopting privacy protective behaviors. These include things like not seeking care, lying to their doctor so as not to reveal embarrassing or sensitive information, seeing multiple doctors so no one will have a complete record, paying out of pocket so that insurers do not have a record of a particular encounter/procedure/prescription, self-treatment where individuals treat or medicate themselves rather than seeking care, and asking the doctor not to record certain pieces of information or to record different pieces of information (and many physicians admit to doing this). Note that when your physician is asked (with your consent) to provide your medical records to an insurance company, most of the time the physician will send them everything (i.e., s/he will not have time to remove information or select only the pieces of information required by the insurance company). There is also evidence that the most vulnerable people adopt these kinds of behaviors, such as teens, battered women, people with or at risk of getting HIV, and people with genetic conditions. As a sad demonstration of what people do to protect their privacy, here is an article from the NYT: http://www.nytimes.com/2009/01/05/nyregion/05abortion.html (archived at http://www.webcitation.org/5kfHjCtf0).
  
  
• There are a number of attempts to make health information publicly (or at least very widely) available. This is particularly true for research data. In the introduction to this article http://www.jamia.org/cgi/content/abstract/15/5/627 , we provide a review of the various initiatives. One argument made in support of these efforts is that data collected using public funds should be made available to maximize the return from the initial investment, and making data widely available means many more people can analyze it and discover new things from it. To the extent that this becomes the case, your health information may be more widely available if you participate in research initiatives. If that data is not properly de-identified then the chances of re-identifying your records would increase.
  
  
• There is increasing interest by data custodians to package data, de-identify it in some way, and sell it. Here are a few examples:
  
  
  • Some vendors are providing Electronic Medical Records (EMRs) for free to practitioners, but then selling the data to generate revenue: http://www.modernhealthcare.com/article/20071008/FREE/310080003#  and
    http://www.bmj.com/cgi/content/full/331/7509/128-c
    
    
  • Some providers have seriously considered, are planning to, or are already selling data about their patients. This is done directly or by creating subsidiary companies responsible for the commercialization of data. For example, Partners Healthcare in Boston (see http://www.boston.com/business/healthcare/articles/2006/03/24/your_data_for_sale/), the Joint Commission on Accreditation for Healthcare Organizations (see http://www.allbusiness.com/health-care/health-care-facilities-hospitals/10579564-1.html), the Cleveland Clinic (see http://www.ama-assn.org/amednews/2009/11/30/bisc1130.htm), and the Geisinger Health System (see the document referenced here).
    
    
  The problem is that it is not clear whether this de-identification is sufficiently robust and whether these organizations have used de-identification best practices. In the examples cited above the organizations have not been forthcoming with details about how they have de-identified their data, which amplifies patient concerns about how their health information is being used. Such a lack of transparency is coupled with the fact that many patients would not know that their health information is being sold.
  
  
• If you have enemies they may be interested in re-identifying your records and finding something sensitive about you.

For all of these reasons you should care about the secondary use of health information. The more data that is collected electronically, the frequency and volume of records affected will also be quite large. We show here the extent of medical data breaches: http://www.ehealthinformation.ca/dataloss/
where the number of medical data breaches and the number of records affected is unfortunately just getting larger.

Another version of the above reasoning can be found in the following Cutter Consortium report entitled "Managing Privacy Risks Through Data Anonymization" targeted specifically to a CIO audience: http://www.cutter.com/bia/fulltext/reports/2009/09/index.html

We have written an article highlighting the risks to personal health information in the attached file.

The author(s) retain all copyright to this knowledgebase article. Please include a citation to the web page if you reuse this material. More information is available at our lab web site: http://www.ehealthinformation.ca/.