Under-the-Radar Health Information Markets: the Supply, the Demand, and the Exploited.

Nowadays, it is not a secret that healthcare providers — such as hospitals — can store and utilize individuals’ health information. Hospitals keep records of individuals so that the diagnosis can be based on more information, and some countries even have a health information exchange system among different hospitals for the same purpose.

Yet, there are also some unnoticeable health information markets that are growing rapidly by consuming your health data without your awareness or explicit consent. In the following paragraphs, I will examine the players in the under-the-radar health information market from the view of supply and demand. I will then wrap up the article by raising awareness of the high risks that individuals face.

The Supply: Who is accessing and supplying your health information without your consent?

Health Data Brokerage Industry

In general, data brokers refer to entities that collect information about individuals and sell that data to other data brokers, companies and individuals. Accordingly, health data brokers refer to those who particularly focus on health information. In the US, Health data brokers can legally buy and sell anonymous (de-identified) data under the Health Insurance Portability and Accountability Act (HIPAA), as well as non-anonymous health data not covered by that privacy standard, including what you put into search engines and health websites [1].

“Your medical data is for sale — all of it.”

— The Guardian

One of the biggest health data brokers in the field is IMS Health (now called “IQVIA” after the merge). According to Forbes, IMS claimed it “processes data from more 45 billion healthcare transactions annually and collects information from more than 780,000 different streams of data worldwide.[2]” It is noteworthy that data brokers do not have a direct relationship with the people who they are collecting data from — meaning that people tend to be unaware of their data being collected and sold.

Health Data Breaches

Throughout history, one of the common ways for criminals to get something valuable is via stealing — and at the age of the internet, it becomes data breaches. Suggested by the Forbes, healthcare industry is now the most cyber-attacked industry. In the United States alone, between 2009 and 2017, there have been 2,181 healthcare data breaches that have resulted in the exposure of 176,709,305 healthcare records — accounting for 54.25% of its population [3]. In 2016, there were 9 times more medical than financial records breached [4]. It is also noteworthy that 75% of those records were exposed or stolen as a result of hacking or IT incidents, signaling how criminals saw value in the actions [5].

Every year, with the exception of 2015, the number of healthcare data breaches (in the USA) has increased, rising from 199 breaches in 2010 to 344 breaches in 2017.

Apart from the United States, Australia and Singapore also recently faced a serious health data breach. The Office of the Australian Information Commissioner has revealed in July 2018 that there have been more than 300 major data breaches this year — among which healthcare sector was the worst hit with 49 major data breaches [6]. Singapore, on the other hand, also suffered from one of the worst cyber attacks in history this year. Hackers invaded the computers of SingHealth, Singapore’s largest group of healthcare institutions, and stolen the health records of 1.5 million patients — including Prime Minister Lee Hsien Loong [7].

Darknet Market

Darknet Market, also known as the “Dark Web” or the “Deep Web”, can be seen as an online form of black market. Many of health records from the previously mentioned data breaches go to the darknet market for sale.

“Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number.” — PhishLabs.

On the dark web, complete health records normally contain an individual’s name, date of birth, social security number, and medical information. Such records can sell for as much as $60 a piece, whereas stolen credit cards sell for just $1 to $3 [8]. The prices might vary due to the number of items available in the package, characteristic of the victim, the source of the stolen data and the underground reputation of the sellers [9].

Source: Redsocks Malicious Threat Detection (11st Apr 2018), Dark Web: The Harmful Business of Medical Data. Available at: https://www.redsocks.eu/blog-2/dark-web-the-harmful-business-of-medical-data/

According to Guardian, a darknet trader even claimed to have access to any Australian’s Medicare details and can supply it upon request. The price for purchasing an Australian’s Medicare card details is 0.0089 bitcoin –equivalent to US$22 at the time [10].

The Demand: Who is buying your health information without your consent?

Medical Identity Theft

Medical identity theft, as defined by the World Privacy Forum, occurs when “someone uses a person’s identity without the person’s consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods” [11].

In the US, medical records have been in great demand from cybercriminals because they contain valuable personal information — such as name, address, date of birth and Social Security Number — all in one record [12]. With such information, criminals can access specific medical equipment or drugs available upon prescription — and then later sell them on the black market.

Pharmaceutical Companies

The pharmaceutical industry has traditionally depended on aggressive marketing for the products promotion. However, the traditional commercial method does not seem to do the trick anymore these days. Particularly, companies are failing to engage with patients when they look for information about symptoms in the early stages [13]. So by accessing more health information about individuals, they can gain better insights into the market and how to best interact with patients/consumers [14].

Besides the marketing aspect, to prove the value of their drugs, pharmaceutical companies have started to involve real-world data when conducting clinical studies over the past decade. Between 2010 and 2016, the average cost of bringing a drug to market has increased by 33%, yet the average peak sales decrease by 49%. Meanwhile, the market for precision medicine is expected to grow from $39 billion in 2015 to &87.7 billion by 2023 [15]. IMS Health, for instance, claims that pharmaceutical sales and marketing are a key part of IMS’ business, and its data also helps big pharma justify prices for drugs by demonstrating their effectiveness [16].

The Exploited: High risks, yet low (if any) returns for individuals

Your health information cannot exist without you. Yet, other people are benefiting from it instead of you.

All the health information that I mentioned above — whether it is in a data breach or being purchased by the pharmaceutical companies — are generated by individuals. Therefore, I believe it is fair to argue that individuals, instead of the data brokers or the hackers, have the most at stake — yet as it shows, receive the least benefits from the market.

Privacy is at stake

Most of the current legal protections (e.g. HIPAA) focus on removing personally identifiable information — such as name, phone number, address, date of birth — when it comes to health records. Health data brokers, for instance, tend to only deal with such de-identified health information when running their business. However, it is critical to realize that such method is no longer enough for securing one’s privacy as it is possible to re-identify those data what were de-identified. One of the popular ways to do so is by combing databases to fill in the blanks, which is also known as “mosaicking”[17].

“Enough anonymous data gathered over time will eventually contain enough clues to re-identify nearly anyone who has received medical care, posing a big potential threat to privacy [18].”

The Australian government, for instance, published medical billing records covers 2.9 million people on its open data website and those data were later found re-identifiable by using known information about the individuals [19]. With the increasing popularity of consumer genomics, a research has found out the “more than 60 per cent of Americans with European ancestry can be identified through their DNA using open genetic genealogy databases, regardless of whether they’ve ever sent in a spit kit [20].” In the below graph, Bloomberg shows how someone can successfully re-identify your medical records in 5 simple steps.

Source: Bloomberg Research

Pay the high price for being a medical identity theft victim

In the US, it is suggested that a medical identity theft can cost one about $13,500 to resolve [21]. Unlike the traditional financial identity theft, medical identity theft is more difficult to be discovered and dealt with. One of the main reasons is that health information tends to be very private and unchangeable — one cannot simply cancel his/her demographic data, family history, insurance information or medication.

Once you become a victim of medical identity theft, doctors might update your health records with the imposter’s medical information, which can lead to false treatment for you and medical bills that you have to pay for [22].

What’s it in for the individuals?

Bearing such costs and risks as mentioned, one would assume that there must be something in it for the individuals. But in my reality, I have never get rewarded (in any forms) from hospitals, pharmaceutical companies or health data brokers for utilizing my valuable health information — I believe that is the experience of almost everyone out there.

To conclude, our health information (in many forms) are in fact traded around more than we expected, both legally and illegally. From data brokers to hackers, entities get on hold of valuable and sensitive health information/data and make profits out of them. I believe the very first step is to raise public awareness as well as empowering individuals to request better control over their health information.

Reference:

[1] Fast Company (1st Apr 2018). Can this app that lets you sell your health data cut your health costs. Available at: https://www.fastcompany.com/40512559/can-this-app-that-lets-you-sell-your-health-data-cut-your-health-costs[2] Forbes (6th Jan 2014). Company that knows what drugs everyone takes going public. Available at: https://www.forbes.com/sites/adamtanner/2014/01/06/company-that-knows-what-drugs-everyone-takes-going-public/#2f37caf24c90[3] HIPAA Journal. Healthcare Data Breach Statistics. Available at: https://www.hipaajournal.com/healthcare-data-breach-statistics/[4] Forbes (Dec 2017). The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards. Available at: https://www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-is-in-your-medical-records-not-credit-cards/#5c7f7fa01b59[5] HIPPA Journal (Sep 2018), Study reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017. Available at: https://www.hipaajournal.com/study-reveals-70-increase-in-healthcare-data-breaches-between-2010-and-2017/[6] News.Com.AU (31st Jul 2018). Health sector tops the list as Australians hit by 300 data breaches since February. Available at: https://www.news.com.au/technology/online/hacking/health-sector-tops-the-list-as-australians-hit-by-300-data-breaches-since-february/news-story/5e95c47694418ad072bf34d872e22124 [7] The Strait Times (Jul 2018). Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore’s worst cyber attack. Available at: https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most[8] Fast Company (2016). On the Dark Web, Medical Records Are a Hot Commodity. Available at: https://www.fastcompany.com/3061543/on-the-dark-web-medical-records-are-a-hot-commodity[9] Redsocks Malicious Threat Detection (Apr 2018). Dark Web: The Harmful Business of Medical Data. Available at: https://www.redsocks.eu/blog-2/dark-web-the-harmful-business-of-medical-data/[10] The Guardian (Jul 2018). The Medicare machine: patient details of ‘any Australian’ for sale on darknet. Available at: https://www.theguardian.com/australia-news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-sale-on-darknet[11] World Privacy Forum. Medical Identity Theft. Available at: https://www.worldprivacyforum.org/category/med-id-theft/ [12] Entefy (Dec 2017). Medical records fetch a premium on the black market. Then along comes blockchain. Available at: https://www.entefy.com/blog/post/500/medical-records-fetch-a-premium-on-the-black-market-then-along-comes-blockchain[13] McKinsey & Company (May 2016). How pharma companies can better understand patients. Available at: https://www.mckinsey.com/industries/pharmaceuticals-and-medical-products/our-insights/how-pharma-companies-can-better-understand-patients[14] Lewis, R. J., Weintraub, S., Sitler, B., McHugh, J., Zan, R., & Morales, S. (2015). Results: The Future of Pharmaceutical and Healthcare Marketing. [15] Deloitte (2017). Life Sciences and Health Care Prediction 2022. Available at: https://www2.deloitte.com/uk/en/pages/life-sciences-and-healthcare/articles/healthcare-and-life-sciences-predictions.html[16] Fortune (9th Feb 2018). This Little-Known Firm Is Getting Rich Off your Medical Data. Available at: http://fortune.com/2016/02/09/ims-health-privacy-medical-data/[17] Forbes (2016). The Big Data Era of Mosaicked Deidentification: Can we Anonymize Data Anymore? Available at: https://www.forbes.com/sites/kalevleetaru/2016/08/24/the-big-data-era-of-mosaicked-deidentification-can-we-anonymize-data-anymore/#802d2be3f1e2[18] The Century Foundation (2017). Strengthening Protection of Patient Medical Data. Available at: https://tcf.org/content/report/strengthening-protection-patient-medical-data/?agreed=1[19] The Guardian (Jul 2018). ‘Data is a fingerprint’: why you aren’t as anonymous as you think online. Available at: https://www.theguardian.com/world/2018/jul/13/anonymous-browsing-data-medical-records-identity-privacy[20] Wired (2018). Genome Hackers Show No One’s DNA Is Anonymous Anymore. Available at: https://www.wired.com/story/genome-hackers-show-no-ones-dna-is-anonymous-anymore/[21] AARP (2017). Medical Identity Theft: It Can Cost You Thousands. Available at: https://states.aarp.org/medical-identity-theft-can-cost-thousands/ [22] Panda Security. Identity Theft. Available at: https://www.pandasecurity.com/mediacenter/news/identity-theft-statistics/