Nearly six years, I cautioned that the "horse was already out of the barn" regarding privacy of health data (see: On the Privacy of Health Information: The Horse Is Already Out of the Barn).This note also made reference to Ingenix, now renamed Optum, and Milliman that sell patient data. Optum is owned by United Health Group which is one of the largest health insurance companies in the country, Here's a quote from that article from the referenced Washington Post article:
...Washington Post revealed that health insurers can now obtain a sort of health “credit report” on individuals thanks to the vast store of digitized drug-prescription data now held by “pharmacy benefit managers” [PBMs] like ExpressScripts....Drug-use information, of course, is highly useful to insurers as a reliable proxy for an individual’s health; as the story notes, if your data records show you’ve been on the highest dose of a cholesterol-lowering statin for 18 months, that signals you have an almost intractable cholesterol problem and face an elevated risk of heart attack or stroke.
A recent article on this same topic discussed how third parties like Optum acquire health data from providers, payers, and pharmacies and sell it to interested parties like pharmaceutical companies (see: How third parties harvest health data from providers, payers and pharmacies). Below is an excerpt from it:
As the healthcare industry continues to struggle with interoperability, there's one realm in which patient data move remarkably freely: the secondary market....Legitimate companies are cashing in too, including health systems, pharmacies and occasionally electronic health record vendors—and the third parties purchasing the data. These third parties get de-identified health information from a vast array of sources and then sell the information on a secondary market to buyers interested in gleaning strategy insights. Buyers might be pharmaceutical firms intent on refining their marketing strategies, figuring out where to invest next, or how to target clinical trials. A large pharmaceutical company might pay between $10 million and $40 million per year for data, consulting and services from Iqvia (formerly IMS Health), one of the dominant players in the market....As long as the data are de-identified, sharing them is fine under the HIPAA privacy and security rules....The data come from such third parties as Iqvia, which had $8 billion in revenue in 2017 and has agreements with more than 120,000 sources around the world to get anonymous patient data. It collects the data from providers, payers, and pharmacies....While health systems themselves own their patient data, EHR vendors still have a great deal of control over it, both legally and technologically. It can be tough, however, to nail down which vendors are actually selling patient data to third parties.
The notion that de-identification of medical data provides some security, particularly for genomic data, is largely a myth. Howeve, because of the size of the profits generated by acquiring and selling medical data, most of the involved parties don't want light cast on this business. Here's a quote from the Wikipedia entry on de-identification thats explains the false security that a may be afforded by de-identification (see: De-identification):
Whenever a person participates in genetics research the donation of a biological specimen often results in the creation of a large amount of personalized data. Such data is uniquely difficult to de-identify. Anonymization of genetic data is particularly difficult because of the huge amount of genotypic information in biospecimens, the ties that specimens often have to medical history, and the advent of modern bioinformatics tools for data mining.There have been demonstrations that data for individuals in aggregate collections of genotypic data sets can be tied to the identities of the specimen donors.