By Kim Zetter
Threat Level
Wired.com
October 19, 2009
When patients visit a physician or hospital, they know that anyone involved in providing their health care can lawfully see their medical records.
But unknown to patients, an increasing number of outside vendors that manage electronic health records also have access to that data, and are reselling the information as a commodity.
The revelation comes in a recent New York Times article about how so-called "scrubbed" patient data isn't as anonymous as people think.
The piece focuses primarily on how anonymized data can be cross-bred with other publicly available databases, such as voting records, which subverts the anonymity. Buried near the end of the article is the news that medical data is collected, anonymized and sold, not by insurance agencies and health care providers, but by third-party vendors who provide medical-record storage in the cloud.
Electronic health record (EHR) services have been a growing industry in the last few years, according to Sue Reber, marketing director of the Certification Commission for Health Information Technology. Reber says most vendors used to simply sell software packages; once the product was sold, the vendor had no connection to the data stored in it. But an increasing number of companies have begun to offer web-based software-management applications that include database storage controlled and managed by the vendor.
