There have been two articles published this week.
First we have:
3 December, 2015
Anonymous GP data can be cracked: warning
The Privacy Commissioner has sounded a warning shot that companies dealing in “anonymous” prescribing data may nevertheless be revealing doctors’ and patients’ identities.
Posted by Antonio Bradley
Commissioner Timothy Pilgrim has acknowledged that sophisticated technology is now capable of re-identifying anonymous data, by means such as cross-referencing anonymous data with other data sets.
Previously, trading in de-identified data was thought to be relatively safe, as it was not covered by the Privacy Act so could not attract financial penalties.
But the new stance has the potential to disrupt the market for patient and prescription data, with the Commissioner signalling there may be future crackdowns on companies that do not protect against re-identification.
“The face of privacy, personal information, and data protection is changing,” Mr Pilgrim told a privacy conference in Melbourne late last month.
“Data sets of ‘anonymous data’ are fast becoming identifiable. And personal information is not just that which does identify you, but that which may.”
The uncertainty now is how much de-identification is required to protect privacy – an issue that has already unsettled large industry players.
Practice software company MedicalDirector confirmed last week that it was seeking updated legal advice on how it treated GPs’ data, such as for research purposes.
“We’re currently investigating and reviewing those comments. I do think there are repercussions into the health area,” chief executive Phil Offer said.
An industry source, who had bought prescribing data from GPs in the past to supply to pharmaceutical companies, said restricting the trade of de-identified data trade would also impact legitimate medical research.
“This isn’t for flogging a can of baked beans for Woolworths, this is valuable information.”
He also said re-identifying data had always been possible, but that it had required a “phenomenal” amount of effort.
That would not be worthwhile to uncover patients’ identities, where the value was in big-picture trends, the source said.
But he admitted matching doctors’ identities to prescribing data was commercially valuable.
The commissioner has a history of going after companies that sell prescription data that is clearly linked to doctors’ identities.
In 2013, Mr Pilgrim warned IMS Health that its plan to buy doctors’ personalised prescribing data from pharmacies would breach the Privacy Act.
IMS Health’s plan to buy the data and sell it on – unless doctors opted out of the scheme – sparked a fierce backlash from the profession.
An increased burden on GPs
GPs should be “extremely” careful when supplying de-identified data, medical defence organisations warn.
MDA National medicolegal manager Dr Sara Bird said GPs had always needed to be “extremely careful”, but the burden was now even greater.
More here:
Second we have:
Your private health data could be sold for profit
11:00pm, Dec 8, 2015
Experts fear private medical records could be given to insurance providers and pharmaceutical companies.
Whether you have a heart condition, diabetes, a rare blood disorder or are in fine health, this is all information which could be potentially turned to profit.
And now experts fear your private medical records could soon be available to the highest bidder.
A scandal has arisen in the wake of the so-called eHealth Bill, which passed into law this month amidst considerable controversy. The law now creates an opt-out not opt-in strategy for all medical records, meaning the health histories of almost all Australians will soon be online.
Critics fear that the data could be easily hacked. Trials of the system, involving one million Australians, are set to begin in both NSW and Queensland early in the new year.
In the most recent developments, the Federal Health Department has just begun a tendering process by issuing what is called a Request for Expressions of Interest (REI) for so-called “secondary usage” of health data.
The move has outraged privacy advocates.
The Health Department’s REI requires respondents to “deliver a framework for the secondary use of My Health Record system data, previously known as Personally Controlled Electronic Health”.
A spokeswoman for the Federal Department of Health told The New Daily that under the Act the department was obliged to prepare and provide de-identified data for research and public health purposes.
“Use of aggregated and de-identified data for secondary purposes can support the capacity, quality, safety and delivery of healthcare,” she said.
Despite direct questions from The New Daily, neither the Health Minister nor the Health Department would rule out the possibility of the data becoming available to insurance and pharmaceutical companies.
Visiting Professor of Law at UNSW Roger Clarke told The New Daily the actions of the government were downright “scary”.
“They are taking data which has to do with your health and using it for other purposes,” he said.
“Look at what they are saying they are going to do with your private confessions to a doctor.”
Professor Clarke said many people had a condition they would prefer others didn’t know about.
“Those records are going to turn up in more places; sure there’s not a name, but a lot of identifiers there. At the very least a postcode, age, gender.
“It is very easy with rich data like health data to reconstruct who it relates to. Anyone who does any decent homework will be able to identify the patient.”
More here:
Both these articles are worth reading to understand the risks that are out there to your health information. I am certainly not planning to put any of my information in these systems.
David.
2 comments:
DM: I am certainly not planning to put any of my information in these systems.
You may like to brush up on Doxing, David. The Serial Swatter is an example of it being put to nefarious use.
"He also said re-identifying data had always been possible, but that it had required a “phenomenal” amount of effort."
No, it doesn't. While the mechanisms may be sophisticated, new implementations makes them fairly trivial to perform, and the more datasets a company has access to, the easier it is to reconstruct the data.
Once released, control of the "de-identified" information is essentially lost, with the holders of this information obscured due to it being passed on to other entities.
Post a Comment