Is Unauthorized Patient Data Access The Next Big Data Privacy Issue?

Data privacy has become a major issue in today’s digitalized world, and with around 80% of all US health records[¹] now stored in digital form, the issue has sparked ongoing debates in the healthcare sector as well. While the government has attempted to guard this sensitive health information through regulatory frameworks such as the Health Insurance Portability and Accountability Act (HIPAA), it’s clear that there are still weaknesses in the system that can lead to major breaches of privacy and unauthorized patient data access.

According to Cybercrime Magazine’s 2020 Healthcare Cybersecurity Report, more than 93%[²] of healthcare organizations experienced a data breach from 2016 to 2019, while more than half (57%) experienced five or more breaches in the same period. To make matters worse, this type of cybercrime has been rising sharply in recent months: last year, the number of hospital ransomware attacks increased by 71%[³] from September to October alone.

Beyond these illegal breaches, recent deals between tech giants and healthcare organizations have caused widespread concern that firms will be able to access sensitive PHI and use it for commercial gain.

In late 2019, a controversial data-sharing deal between Google™ and Ascension® made headlines in the mainstream media and caused widespread concern around patient data access. Under the terms of the deal, Google was given access to millions of online medical records, purportedly as part of an analytics project to “improve patient health outcomes.” However, some media outlets reported that – contrary to HIPAA – some of this data had not been fully anonymized and was shared without explicit patient consent.

While these deals may not always break the law, they have caused a certain amount of unease around the appropriate usage and ownership of patient health data. Clearly, the fact that multinational companies can get their hands on an online medical record without the knowledge of the patient raises questions on the standard of patient data security in healthcare today.

Who owns patient data, and how is it used?

The ownership of patient data can be legally tricky to unpick, but generally, the data belongs to the health organization[⁴] that collects it.

Under HIPAA, these organizations have certain obligations and responsibilities[⁵] with regard to patient data security. These dictate that they shouldn’t sell it to unauthorized third parties, even if they have a Business Associate Agreement (BAA) in place. HIPAA also dictates that covered entities should never store and send sensitive patient health information on insecure platforms or networks without proper protections[⁶].

Patient data is primarily used by organizations in four ways[⁷]:

  1. Provide patients with consistent care
  2. Improve patient care
  3. Improve patient health outcomes
  4. Assist with health research about specific conditions, treatment pathways, and new drugs on the market

The big problem with the fourth use is that this data is often sold to life sciences companies without the knowledge of the patient and certainly not to the financial benefit of the patient. The permission to use “anonymized” and “aggregated data” is standard verbiage in most EHR and patient engagement software systems’ terms of use and End User License Agreements (EULA).

In the case of Google, however, it remains unclear how exactly the company intended to use the large swathes of data it is now able to access.

What can companies like Google do with deidentified patient data?

The way health research is conducted today means that collaboration between tech companies and health organizations has become fairly standard practice[⁴].

With the use of tools such as AI and machine learning, vast amounts of deidentified patient data can be rapidly analyzed in order to predict the course of certain diseases and improve both treatment and health outcomes. This is what Google claimed[⁸] its deal with Ascension was about.

Most of the time, the patient data from an online medical record is anonymized when shared for the purposes of research, with care taken to create deidentified patient data by removing any information that could potentially identify an individual. In the deal between Google and Ascension, however, there were reports that they had shared information that could potentially be identified.

Given the amount of information that Google has on all its users, the presence of any potentially identifying information amongst the data shared is particularly concerning for patients since it heightens the risk of their personal identity being exposed. At its most severe, this could mean Google having access to identifiable data on someone’s chronic health conditions, such as cancer or HIV.

Digital Front Door

What could Google and Ascension have done better?

As states like Virginia move to impose tougher patient data security legislation, healthcare firms are likely to be subject to greater constraints on patient data access, ensuring that they only process “adequate, relevant and reasonably necessary” data, implement and maintain “reasonable administrative, technical, and physical data security practices,” and obtain express consent from consumers when they (1) process sensitive data or (2) deviate from the purposes disclosed within the business’ privacy policy.

In the case we’ve mentioned, Google and Ascension could have ensured more openness and transparency at every stage of the deal, including by publicizing the existence of a BAA[⁹] between the two parties.

In addition, they could have liaised with patients about how their data would be used and obtained consent from affected parties, or simply published a clear notice to their patient population, not burying their right to use such data in a EULA or terms of use, which they know patients do not read. To comply with HIPAA, this data should be de-identified to adhere to the highest standards of data protection and privacy.

DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.

  1. Lancaster, K. (2020). Navigating the Uneasy Alliance Between Tech Giants and Healthcare Organizations. [online] CPO Magazine. Available at: https://www.cpomagazine.com/data-privacy/navigating-the-uneasy-alliance-between-tech-giants-and-healthcare-organizations/.
  2. Black Book Research. (2019). Healthcare Data Breaches Costs Industry $4 Billion by Year’s End, 2020 Will Be Worse Reports New Black Book Survey. [online] Blackbookmarketresearch.newswire.com. Available at: https://blackbookmarketresearch.newswire.com/news/healthcare-data-breaches-costs-industry-4-billion-by-years-end-2020-21027640
  3. O’Neil, P H. (2020). A wave of ransomware hits US hospitals as coronavirus spikes. [online] MIT Technology Review. Available at: https://www.technologyreview.com/2020/10/29/1011436/a-wave-of-ransomware-hits-us-hospitals-as-coronavirus-spikes/.
  4. Paunescu, D. (2019). Google’s secretive “Project Nightingale” gave them access to millions of medical records. Here are the pros and cons. [online] Vox. Available at: https://www.vox.com/recode/2019/11/19/20971337/google-medical-records-ascension-reset-podcast
  5. U.S. Department of Health and Human Services (2013). Summary of the HIPAA Security Rule. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
  6. Rights (OCR), O. for C. (2015). 2006-Does the Security Rule allow for sending e-PHI in an email or over the Internet. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html
  7. Health Informatics Online Masters | Nursing & Medical Degrees. (2015). 4 Uses for Patient Care Data. [online] UIC Health Informatics. Health Informatics Online Masters. Available at: https://healthinformatics.uic.edu/blog/4-uses-for-patient-care-data/.
  8. Shaukat, T. (2019). Our partnership with Ascension. [online] Google Cloud Blog. Available at: https://cloud.google.com/blog/topics/inside-google-cloud/our-partnership-with-ascension
  9. O’Reilly, K B. (2019). Google-Ascension deal comes as concerns rise on use of health data. [online] American Medical Association. Available at: https://www.ama-assn.org/practice-management/digital/google-ascension-deal-comes-concerns-rise-use-health-data
Pablo Bullian
Pablo Bullian

Pablo, our Chief Information Security Officer, architected and manages Bridge’s HIPAA-compliant hosting infrastructure. He is a Certified Information Systems Security Professional (CISSP), Amazon Web Services (AWS) Certified Solutions Architect, and Cisco Certified Network Associate (CCNA). Pablo has an M.S. in Cybersecurity from the University of Buenos Aires and he’s passionate about all things related to cybersecurity and cloud hosting.