I have opined for more than a decade that it's not worth worrying too much about unauthorized access to your personal health and research data because "that horse has already left the barn" (see: On the Privacy of Health Information: The Horse Is Already Out of the Barn). The security of anonymized health data was discussed in a recent blog note in a Q and A with Hank Greely, a Stanford law professor who focuses on the ethics behind new technologies related to neuroscience and genetics (see: Genetic Testing: Who Owns Your Data?). This site is called Being Patient. Below is the excerpt from the article:
Being Patient: Can we assume that...[personal health] data is anonymized, even if they’re sharing it? Typically, 23andMe sends people emails after completing genetic testing, asking whether they can use the data for the “advancement of science.” Will the data be anonymized as long as people don’t tick “yes” when receiving these emails?
Hank Greely: Yes and no. It will technically be anonymized. They say, and I believe them, that they won’t share your name, social security number, Visa number, address or email address. The problem is, particularly with genetic information, de-identification is a myth in that with any sufficiently robust dataset, if somebody really cared, they could go back and re-identify you. The more data is out there in terms of genetic data, the easier that becomes. But, even if it’s not genetic data, even if all they know is that you’re 39 years old, live in this county and have the following health conditions, for some people, that’s going to be enough to say that’s you and nobody else. There was a really interesting piece published just last week showing that over 99 percent of people could be identified with 15 demographic kinds of identifiers, none of them even genetic. Computers and the internet have made the reality of de-identification basically go away.
For me, the most disturbing potential consequence of unauthorized access to one's personal health information is that it could be used for health insurance discrimination. Professor Greely addresses this question with the following comments (see: Genetic Testing: Who Owns Your Data?):
- While the Genetic Information Nondiscrimination Act (GINA) prohibits health insurers and employers from discriminating against people based on their genetic information, the act only deals with employment and health insurance, but not life insurance, disability insurance or long-term care insurance
- Even if you do not pursue genetic testing, if a relative has taken a genetic test, someone could access certain genetic information about you if they wanted to.
I personally have gained such useful health information from my on-line genetic testing that I believe acquiring it outweighs any potential harm I may suffer due to its inappropriate use. Besides and as noted above, there is little I can personally do to prevent re-identification of my anonymized data or hacking into hospital EHR databases where my data is stored. As consumer-oriented genetic screening gets even more sophisticated, I am hopeful that the GINA legislation will be extended and provide more protection.
Comments