MORE than 10 years after she tried without success to have a baby, Marcy Campbell Krinsk is still receiving painful reminders in her mail. The ads and promotions started after she bought fertility drugs at a pharmacy in San Diego.
Marketers got hold of her name, and she found coupons and samples in her mail that shadowed the growth of an imaginary child — at first, for Pampers and baby formula, then for discounts on family photos, and all the way through the years to gifts suitable for an elementary school graduate.
“I had three different in vitro procedures,” said Ms. Krinsk, now 55, a former telecommunications executive who lives with her husband in San Diego. “To just go to the mailbox and get that stuff, time after time after time, it was just awful.”
Like many other people, Ms. Krinsk thought that her prescription information was private. But in fact, prescriptions, and all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission.
That may change if some little-noted protections from the Obama administration are strictly enforced. The federal stimulus law enacted in February prohibits in most cases the sale of personal health information, with a few exceptions for research and public health measures like tracking flu epidemics. It also tightens rules for telling patients when hackers or health care workers have stolen their Social Security numbers or medical information, as happened to Britney Spears, Maria Shriver and Farrah Fawcett before she died in June.
“The new rules will plug some gaping holes in our federal health privacy laws,” said Deven McGraw, a health privacy expert at the nonprofit Center for Democracy and Technology in Washington. “For the first time, pharmacy benefit managers that handle most prescriptions and banks and contractors that process millions of medical claims will be held accountable for complying with federal privacy and security rules.”
The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.
Ms. Krinsk was never able to find out who sold her information, but companies that have been accused in lawsuits of buying and selling personal medical data include drugstore chains like Walgreens and data-mining companies like IMS Health and Verispan. CVS Caremark, which handles prescriptions for corporate clients, has also been accused of violating patients’ privacy.
These companies all say that names of patients are removed or encrypted before data is sold, typically to drug manufacturers.
But as Ms. Krinsk’s case shows, there are leaks in the system.
Before the changes, privacy regulations mainly applied to hospitals and doctors. Enforcement was weak, and there were lots of loopholes.
Privacy experts cite research by Latanya Sweeney, director of the Data Privacy Lab at Carnegie Mellon University in Pittsburgh, which shows that a computer-savvy snooper can easily match names, addresses, Social Security numbers and so on to “re-identify” information that had supposedly been rendered anonymous.
“Our biggest concern is the complete lack of protection against re-identifying data that was supposed to be anonymous and secure,” Ms. McGraw said.
Tracking prescriptions has been a big business for decades. Data miners say their research is valuable because gathering and analyzing information from thousands of people helps identify trends and provides indications of potentially dangerous side effects of drugs.
“Data stripped of patient identity is an important alternative in health research and managing quality of care,” said Randy Frankel, an IMS vice president. As for the ability to put the names back on anonymous data, he said IMS has “multiple encryptions and various ways of separating information to prevent a patient from being re-identified.”
“De-identified health information is our core business,” he said.
IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. Mr. Frankel said he did not expect growing awareness of privacy issues to affect the business.
CVS Caremark says it is careful about patient data. “In very limited circumstances, we exchange aggregated, de-identified data with third parties to assist the health care community in understanding patient use of prescription medications with the goal of achieving better health outcomes,” said Carolyn Castel, a company spokeswoman.
Selling data to drug manufacturers is still allowed, if patients’ names are removed. But the stimulus law tightens one of the biggest loopholes in the old privacy rules. Pharmacy companies like Walgreens have been able to accept payments from drug makers to mail advice and reminders to customers to take their medications, without obtaining permission. Under the new law, the subsidized marketing is still permitted but it can no longer promote drugs other than those the customer already buys.
The ban on marketing is even more strict in California, where Walgreens is fighting off a class-action lawsuit filed on behalf of customers who received the subsidized mailings before the state outlawed them in 2004. Michael Polzin, a Walgreens spokesman, defended the mailings as a cost-cutting measure. “Patients who fail to properly take their medication cost the U.S. health care system $177 billion a year,” when they fall sick and need treatment, he said.
The data mining industry, meanwhile, is challenging laws in New Hampshire, Maine and Vermont that ban collecting and selling prescription information to drug makers, which use it to decide which doctors to market to.
The companies in the case, IMS Health and Verispan, now part of the private company SDI Health, said the identities of patients were removed. “At no time does SDI ever receive any identifiable patient information nor any means to identify any patient from the data we handle. All data is de-identified prior to transmission to SDI,” said Andrew Kress, chief executive of SDI.
Privacy advocates and a judge in the case argued that de-identified information could easily spin out of control. “This information quickly finds its way into other databases, including those of insurance carriers and pharmacy benefits managers,” Judge Bruce M. Selya wrote in a federal appeals court decision upholding the New Hampshire law.
IN another big change, the stimulus law provides $19 billion to push doctors toward installing electronic records systems. It is a milestone on the road toward President Obama’s goal of digitizing all medical records within five years. But digitization creates the potential for more abuses by hackers, as well as blackmail and insurance fraud.
“Privacy is under greater duress than ever before as medical records are switched from paper to electronic,” said Pam Dixon, a consumer advocate and executive director of the World Privacy Forum near San Diego.
Administration officials say privacy guarantees are essential. “We can’t afford to go forward with our plans unless we have assured the American public that the privacy of their information is assured,” said Dr. David Blumenthal, the Health and Human Services Department’s national coordinator for health information technology.
Companies like Google, Microsoft and WebMD see a lucrative business opportunity in assembling and holding personal health records. Patients and their doctors would be able to consult the records wherever and whenever needed. But the companies themselves recognize that they have work to do to persuade consumers and physicians that records will be safe and protected.
Although as many as one in four adult Americans are currently offered an online personal health record, by a health plan or physician’s office, most have not taken up the offer.
Google, Microsoft and WebMD all say they will not show advertising alongside a person’s health records. But visitors to WebMD, Google Health and Microsoft’s site, HealthVault, see ads for drugs for diseases like osteoporosis or acid reflux as they seek information on an array of ailments.
Technology experts say identities of viewers and their health interests are often captured at the moment they click on online ads for a drug. That provides the advertiser with a prospective customer to pursue online or by mail.
“Personal health records linked to advertising, even indirectly, put them in the hands of marketers and profilers,” said Robert Gellman, an independent privacy consultant in Washington.
The new law also requires the Federal Trade Commission and the Department of Health and Human Services to clarify the rules for privacy violations and gives all 50 states’ attorneys general new authority to enforce the federal rules.
Some recent high-profile incidents reveal the extent of the problem. In Virginia, a state health agency notified 530,000 residents in June that their Social Security numbers were at risk after a hacker claimed to have invaded a state monitoring database in April and demanded $10 million ransom to return the stolen data. State officials said they were still investigating the breach.
Ms. Fawcett was plagued by lurid tabloid reports fueled with information from her cancer treatment records at the University of California, Los Angeles Medical Center. And in May, Kaiser Permanente paid a $250,000 fine to California after it reported that 21 unauthorized employees and two physicians had invaded the records of Nadya Suleman, the woman who gave birth to eight infants in a Kaiser hospital in January.
Since 2003, more than 45,000 complaints have been filed at the civil rights office in the Department of Health and Human Services by people who said their medical privacy was violated. The office says it has taken enforcement actions on more than 8,900 cases in that period, covering millions of people.
A single case can involve thousands of patients. For example, CVS paid a $2.25 million settlement early this year after an Indianapolis television station found paper records with CVS customers’ personal drug information had been tossed into Dumpsters. In the settlement agreement, CVS promised to protect patient information at all 6,300 CVS stores.
A survey sponsored by the Federal Trade Commission suggested that tens of thousands of patients each year had their records broken into by hackers and unauthorized employees of hospitals and other health industry companies. Keith B. Anderson, an economist at the F.T.C., estimated that the personal information of about 890,000 adults was misused between 2001 and 2006. Stolen identities and data were used to trick Medicare, Medicaid and other insurers into paying for bogus medical treatment and supplies, he said.
Deborah Peel, a psychiatrist in Austin, Tex., who advocates privacy rights, said she predicts “a looming battle between the data thieves and those that believe in constructing a digital universe with even stronger protections for the privacy of personal information than we have in the world of medical records on paper.”
SOME people think that the stimulus law doesn’t go far enough to protect patients’ privacy. While it bans paying a pharmacist for marketing to patients, it does not bar the sale of personal drug information by one pharmacy to another, as happened to Randee Lonergan, 35, a school administrator who now lives in Florida.
She says that when a pharmacy closed in a Stop & Shop supermarket on Long Island, it sold her information to a nearby Target store. She was upset when her new pharmacist asked if she was still taking injections for a skin problem. “They knew all about me and my family,” she said. Adding to her chagrin, she saw a person she happened to know working at the pharmacy. A Target spokeswoman says the company complied with all privacy laws.
Ms. Krinsk in San Diego, whose privacy was repeatedly violated for more than a decade, says she is willing to speak out if it draws attention to the problem. “I’m a pretty tough person,” she said.