An exploration of data privacy in healthcare
We all know data gets passed around somehow. By some people. In some way. Surprisingly, though, breaches in health data are much more common than we might think, and the extent of impact is shockingly broad.
Maybe a story will bring light to the gravity of this issue...
Nathan is a middle-aged man living in the United States. He has worked since graduating college and likes to dabble in pottery and d3.js blogs in his free time. Nathan recently found it he has liver cancer and has been going to the hospital frequently for treatment.
Little does Nathan know, when he goes to the hospital or doctor's office the information collected about his health and personal identity is distributed very widely. Dozens of entities are involved in a complex web of interactions among insurance companies, physicians, and beyond. The additional connection to any node in this network expands the vulnerability of Nathan's sensitive health data...Explore the Data
One day, Nathan receives a letter from his health insurance company, Anthem, asking about his plan coverage with a "priority code" on the outside of the envelope. While seemingly harmless, the "code" is made up of Nathan's social security number plus two additional digits. This leaves Nathan's sensitive information associated with his Social Security number exposed to anyone aware of Anthem's mistake.
While Nathan's misfortune seems like an odd story, this breach actually happened in April 2011. More than 78 million individuals were affected. Thousands of breaches just like this one occur throughout the United States.
Fortunately legislation is being passed at a state level that forces companies to disclose these breaches to the public. California has the strictest laws, but today all 50 states have passed legislation forcing companies to report breaches in their data causing more and more of these breaches to be exposed.
While Nathan attempts to remedy his situation, his personal information is collected by South Carolina (the state he resides in). South Carolina in turn can sell this data to interested buyers, including WebMD Health, Truven Health Analytics, and Milliman, for over $53,000.
Figure 4: The discharge price for health data for states in the United States.
This story is common among many states, as 47 states sell discharge data for a price (ranging from $25 to over $93,000). In terms of the distribution of discharge prices, Colorado ($93,303) and South Carolina ($53,188) have much higher discharge prices than the next closest state, Tennessee ($10,000).
As Nathan worries about the dispersal of his private information on his cancer treatments, he moves to using his personal smartphone instead to keep track of medicine, procedures, and his daily fitness routines. From Apple Health on his iPhone to Fitbit on his wrist, Nathan feels secure that his health data is kept close to him (literally). Little does he know...
Figure 3: The number of distinct domains each app shares data with in one session.
We use our phones every day. Surprisingly, these apps that contain our daily fitness tracking and health records share data with many different domains (often times third-party ones) that are vulnerable to security risks. Relative to other app categories including business (6.5), photo/video (8.6), and navigation (9) apps, health (9.25) and medical (10.3) apps have a higher average number of distinct domains that receive data per app session. Those with sensitive health/personal data, including lifestyle (8) and social (10.45), also share with a relatively high number of domains.
The data on health care privacy is much more shocking than we might think. Sensitive health data is spread through a complex network involving insurance companies, educational institutions, physicians, and more. As a result of this broad network, breaches are happening at an astonishing rate, increasing over time and across the United States. The individual stories of how these breaches are simultaneously unbelievable and strongly representative of the truth. Nathan's story is similar to 652 others in the same category of company. The problem is rooted so deeply it even extends to within reach of us (literally) through our smartphones, with health and medical apps relying on hundreds of online connections to transmit data.
healthIT.gov can help you file a complaint if you believe your health information privacy has been violated. You can keep up to date on healthcare data privacy issues. Also, you can update privacy settings on apps provided by companies such as Facebook and Google.
3 Data.Gov: State Health IT Privacy and Consent Laws and Policies
1 List of organizations and entities involved in data sharing transaction(s)
2 Categories of data holders of health data
3 Association list of categories from the categories file and organizations
4 Longer description of each category
5 List of breaches associated with different categories and organizations
6 List of paths/directions of data transfer from one category to another
7 110 popular Android apps and domains they were sharing user info with
8 110 popular iOS apps and domains the apps were sharing user info with
9 StateMaster: U.S. States Statistical Database
10 Access Our Fully Scraped and Cleaned Data (used in this project)