Reporter Steve Kroft said companies in the multi-billion dollar data brokerage industry are “collecting, analyzing and packaging some of our most sensitive personal information and selling it as a commodity ... to each other, to advertisers, even the government, often without our direct knowledge.”
Kroft questioned guest expert Tim Sparapani, a one-time privacy lawyer for the American Civil Liberties Union and Facebook's first director of public policy, about a broker's inventory. Healthcare data came up big.
Kroft: “What about medications?”
Sparapani: “Certainly. You can buy from any number of data brokers, by malady, the lists of individuals in America who are afflicted with a particular disease or condition.”
Kroft: “Alcoholism?”
Sparapani: “Yes. Absolutely.”
Kroft: “Depression?”
Sparapani: “Certainly.”
Kroft: “Psychiatric problems?”
Sparapani: “No question.”
Kroft: “History of genetic problems?”
Sparapani: “Yes. Cancer, heart disease, you name it, down to the most rare and, and most unexpected maladies.”
Where does all of this data come from?
Maybe from websites and phone apps that extract it from people, wittingly or unwittingly, as they search the Internet or use their smartphones, the CBS report said. Those collection methods could all be exempt from the HIPAA privacy rule. But who knows if those are all the only methods being used?
“No one has ever looked into these lists,” Sparapani said. “In fact, most of this has been completely opaque until just recently. The depths of this industry, the really darkest corners, have yet to be exposed to any light whatsoever.”
Kroft asked for a peek at his own data dossier from the CEO of the one major data broker that would talk to him on camera. Kroft was turned down. The CEO said Kroft could search and receive information about the kind of data his firm kept on Kroft, but not the data itself.
The other story to break last week was, “How the NSA Plans to Infect 'Millions' of Computers with Malware.” It was co-authored by Glenn Greenwald, a former constitutional lawyer turned reporter. Greenwald was one of a few recipients of the trove—reported to be several hundred thousand documents—taken from a National Security Agency contractor by whistle-blower Edward Snowden. Greenwald was one of four 2013 Polk Award winners for reporting on the Snowden leaks.
In Greenwald's latest story, he describes an automated capability of the spy agency to place and control a myriad of bugs on thousands, and possibly millions, of computers as part of the spy agency's drive to “Own the Net.” Many of the implants are designed to monitor traffic on the computers or servers they infest. Some can circumvent encryption. Others are programmed to attack and destroy computer functions.
The Greenwald story didn't mention healthcare data, but it takes no leap of imagination to understand how healthcare information could get sucked up in the process he outlined, even if it wasn't targeted. And, there is little hope that it's not, given the breadth of surveillance operations revealed in the Snowden documents.
In 2008, Modern Healthcare published a six-part series examining the possibility that surveillance agencies were surreptitiously targeting medical records. Our research found hard evidence that was the Defense Department's intention, that medical records were targeted, that it was building the technical capability to grab them, and planners of this dragnet surveillance system had favorably received the recommendation of an executive from a major data broker who said the system architects should consider buying the data they wanted from commercial concerns.
Meanwhile, HHS continues to enforce HIPAA as if it were a functioning bulwark of patient privacy protection. Obviously, much more is needed, and fast.
Follow Joseph Conn on Twitter: @MHJConn