[HN Gopher] Decades-old IBM database became profitable dossier o... ___________________________________________________________________ Decades-old IBM database became profitable dossier on health of 270M Americans Author : walterbell Score : 147 points Date : 2022-02-03 04:50 UTC (2 days ago) (HTM) web link (www.statnews.com) (TXT) w3m dump (www.statnews.com) | rr808 wrote: | Just imagine the FB database in 20 years. Maybe its open by then | walterbell wrote: | UK Health Security Agency (HSA) has a comprehensive page on test | & trace data management, | https://www.gov.uk/government/publications/nhs-test-and-trac... | (Dec 2021 update) | | _> Under data protection law, you have several rights over your | personal information. You can exercise any of your rights by | contacting us at InformationRights@UKHSA.gov.uk | | > COVID-19 data may need to be shared with WHO for research | purposes and where required to help trace contacts | internationally. These are restricted transfers made on the basis | of being important for reasons of public interest, where we rely | on one of the derogations under Article 49(1)(d) of the GDPR. | | > Personal information includes ... name, DOB, address, employer, | locations visited, travel itinerary, mental health, lifestyle, | social circumstances, ethnic origin, DNA/biometric data ... We | send personal information to ... Amazon, AWS, Deloitte, MoD, | NCSC, ONS, Police, Palantir, Serco, WHO_ [and others] | sha256sum wrote: | There's also MIB Group (Medical Information Bureau) which | collects healthcare data as part of an exemption to the fair | credit reporting act, along with an extensive astroturfing | campaign to hide their activities (the Wiki article on them is | useless). | | > In addition to an individual's credit history, data collected | by MIB may include medical conditions, driving records, criminal | activity, and participation in hazardous sports, among other | facts. MIB's member companies account for 99 percent of the | individual life insurance policies and 80 percent of all health | and disability policies issued in the United States and Canada. | | https://www.ftc.gov/news-events/press-releases/1995/06/medic... | | You may request the data they have on you and allegedly you can | dispute the information. | SilasX wrote: | Tangent, but ... they picked the _acronym MIB_? I had to look | it up, and the term Men in Black in the lay usage dates to | 1947.[1] But the group MIB dates to 1902, so just a | coincidence. | | [1] https://www.history.com/news/men-in-black-real-origins | smrtinsert wrote: | > IBM's efforts to use the repository to transform broad swaths | of the health care system ultimately fizzled. The company | struggled to create the cloud storage and computing | infrastructure needed to combine all the data so it could be | analyzed by its AI and analytics machinery. | | Wow still? I'm a little surprised by this as almost as lots of | cloud offerings these days seem designed for massive scale. | Tempest1981 wrote: | I wonder what they plan to do with our data? I found this: | | - Francisco Partners is a leading global investment firm that | specializes in partnering with technology and technology-enabled | businesses. | | - FP's current and past investments include such companies as | BeyondTrust, ClickSoftware, GoodRx, Ichor Systems, iconectiv, | LegalZoom, Quest and Verifone. | | and from the article: | | - Francisco Partners had previously purchased stakes in the | telemedicine and drug coupon company GoodRx, the virtual | appointment booking company ZocDoc, and Edifecs, a company that | builds software to enable a more seamless exchange of data. | | - The firm declined to comment on the acquisition or its plans | for the MarketScan database. | airstrike wrote: | There are literally dozens of PE firms and VC funds investing | in Healthcare IT... and not necessarily for nefarious ulterior | motives | walterbell wrote: | Quite a portfolio: - BeyondTrust: admin | credentials - ClickSoftware: service chain mgmt - | GoodRx: prescriptions - LegalZoom: LLC identity, IP | - Quest: security/identity, Erwin data modeler - | SonicWall: firewall - Verifone: retail POS transactions | - ZocDoc: doc-patient calendar | hedora wrote: | > _He started by reaching out to the biggest corporations. If | they would agree to give him data on their employees' paid | medical claims, he would return to them an analysis of their cost | drivers, benefit designs, and manageable risks that would give | them leverage in negotiations with insurers_ | | What? Isn't this exactly the sort of thing HIPAA is supposed to | ban? What happened to doctor-patient confidentiality? Why do | employers even have that information? | walnutclosefarm wrote: | The data is de-identified, and thus not subject to HIPAA | restrictions. | | It's not made entirely clear in the article, but most of this | data is insurance claims data, not medical records per se. | That's why employers have it. If your employer underwrites your | medical claims directly - which most do nowadays - when you or | your doctor submits an insurance claim, they are submitting it | to your employer. It may go through a health insurance company | - since most employers hire one to administer their plans - but | that insurance company is collecting the information on behalf | of the plan owned by your employer. The fact that it's | insurance claims and not raw medical records is one of the | challenges IBM had in making a business out of analyzing it. | There is a lot less and less quality, medical data in insurance | claims than IBM hoped. | peterth3 wrote: | > Medical data mining companies have made a business of | scraping the details of consumers' daily lives into medical | dossiers that, if combined with MarketScan's de-identified | information, could be used to re-identify the individuals | within its databases. | | De-identification is unreliable. If you have enough context, | then the patients can be re-identified. | capableweb wrote: | The clues are a bit earlier in the article and the full name of | HIPAA | | > The financial trajectory of MarketScan was perhaps | unimaginable in 1981, when a former insurance executive named | Ernie Ludy founded the company. His idea was to simply collect | patients' data and parcel it out to big companies that were | seeking to control costs by getting a more granular view of | their employees' health care use. | | > The Health Insurance Portability and Accountability Act of | 1996 | hedora wrote: | Ahh, thanks. Should have kept reading. However, a paragraph | or so later, it says HIPAA doesn't apply to de-indetified | data, and that it's easy for researchers to buy the data set. | | Hopefully, some security researchers will get their hands on | it, de-anonymize the data set, and then regulators will burn | the industry to the ground. | ghaff wrote: | >HIPAA doesn't apply to de-indetified data | | Although I'd point out that very little is needed to un- | deidentify medical records if you want to. For example, see | some of the work Latanya Sweeney has done. | | http://latanyasweeney.org/ https://arstechnica.com/tech- | policy/2009/09/your-secrets-liv... | nerdponx wrote: | Or it will just keep on going with the HIPAA fig leaf like | before. See also: credit rating agencies, ad targeting. | zitterbewegung wrote: | Wow, this person had a Data Science company in 1981 that was | actually profitable. | brilee wrote: | https://en.wikipedia.org/wiki/FICO how about 1956? | nexuist wrote: | Computer science evolves in a circle. Analyzing data for | meteorological predictions was one of the first uses of a | digital computer; it just wasn't hip at the time and | involved 0 pandas. | rubatuga wrote: | > import tensorflow as tf | gravypod wrote: | IANAL but I think HIPAA: | | 1. Only applies to covered entities. | | 2. Data can be given to another covered entity as long as | certain rules are followed. | | Very easy to have a web of people giving each other data | because of this. | NightMKoder wrote: | Yep and covered entities are usually related to billing for | medical care. As an example, almost all life insurance | companies are not even hipaa compliant because they aren't | covered entities. | | In net - hipaa doesn't protect medical information generally | - only the subset that's usually visible to doctors. And even | then, it stops working as soon as the info is outside a | covered entity. | Spooky23 wrote: | HIPPA is a joke and basically stopped gossip. | | "Hot" conditions with high conversions are tracked in near | real-time. I learned this when we received via FedEx a box of | Enfamil on what should have been the due date of of daughter. | Unfortunately, we miscarried. | walnutclosefarm wrote: | Very sorry about your pregnancy. | | But I can assure you that your pregnancy was not revealed to | a marketing organization by your doctor or insurance company. | HIPAA prohibits that kind of information transfer, and the | consequences of violating the law are severe enough that | physicians and insurers are highly unlikely to risk it, for | the little bit of dough they'd get by selling the fact of a | pregnancy. | | However, HIPAA only protects information about you gathered | by your doctor or insurance company in the course of | providing medical care. It does not protect you against data | aggregators inferring your condition based on non-medical | activities. In the case of pregnancy, it's not unlikely that | your condition was inferred from credit card activity or | online retail activity. (There is a well known case of a | retailer - Target - building a model that inferred a | pregnancy in a household based on retail activity; they | started sending flyers/adverts to households they had | identified as pregnant, and in the process revealed | pregnancies of wives or daughters in the household to others | who had not been in read in to the news; it did not end well | for Target). | LancerSykera wrote: | As a fedex driver I always dreaded delivering those. Not | because of the possibility of unfortunate outcomes such as | yours (never crossed my mind), but because I knew they were | unsolicited "gifts" that came from big data schemes like | this. Just like how marketing companies know that you're | pregnant even before you do. | walterbell wrote: | Potential use case for guerrilla sticker educational | program. | loeg wrote: | HIPAA (one P, two As) is chiefly for data portability between | doctors; not privacy. HIPAA is not intended to and does not | protect your medical information from insurers. | | Sorry to hear about your daughter. That is really tough. | MrDunham wrote: | Correct, though it's interactions between any of doctors, | payors (insurers), and information brokers (more like | clearing houses if I remember correctly) - between | themselves or each other. | | So if any of them or their business associates got the | information and sold it that would be a violation. But if | say Target figured it out because she was buying a lot more | orange juice and lotion (true story, Target's ability to | figure out who's pregnant is legendary) and sold that into | it would not be covered under HIPAA | thaumasiotes wrote: | > HIPAA (one P, two As) | | There's a weird thing going on where everyone pronounces it | as if it were spelled "hippa", and then everyone believes | it must be spelled that way because of how it's pronounced. | | It doesn't seem to have occurred to anyone to pronounce it | in a way that's compatible with the spelling. | Froedlich wrote: | > What happened to doctor-patient confidentiality? | | It was cast by the wayside long ago. First it was the "mental | health" exemptions, then various law enforcement provisions, | then third-party "office solutions", then transcriptionist | services, then private medical databases... | | You might as well assume that anything you tell your doctor is | going to be recorded and (eventually) used against you. | | And then, as was alluded to earlier, there's the problem of | incorrect information in those databases... and your only | recourse is to give them more-accurate information to sell. | | All the dice are loaded against the patient. And as anyone | online for long knows, data is forever. | icegreentea2 wrote: | The information is supposedly de-identified. That means it's | not a HIPAA violation. You can look at the HIPAA de- | identification standard right over here | (https://www.hhs.gov/hipaa/for- | professionals/privacy/special-...). | alexb_ wrote: | I will never believe someone when they say info is "de- | identified", because even if it is, it is shockingly easy to | pinpoint 1 person out of millions based on a very small | number of unique factors. | tomrod wrote: | There are academic subfields that study the risk of de- | identification. | samhw wrote: | I think it's because the word "anonymous" permeates our | understanding of the concept, and - even for people who | didn't actually study Greek - the tie to "name" is clear. | | We need to understand that "knowing someone's identity" is | not coextensive with "knowing their name", and that in fact | knowing someone has a rare medical condition may be _more_ | identifying[0] than knowing their name. | | [0] Or k-deanonymising, for anyone who's pedantic about | identity being an absolute. | walnutclosefarm wrote: | I spent a good deal of my professional life in the last | decade dealing with the problem of de-identifying medical | data. You are correct that it's hard, but the HIPAA rule is | actually not a bad go at it. See | https://www.hhs.gov/hipaa/for- | professionals/privacy/special-.... | | For the kind of data in this particular database (mostly | insurance claims data), it's highly unlikely that you could | learn much through re-identification of the data. | nerdponx wrote: | A lot of people simply don't know this. Politicians either | don't know or claim to not know. | | This is a good example of the law and popular conception of | a concept being badly out of date, to the advantage of | industry and disadvantage of regular people. Therefore | industry has a vested interest in keeping the public | perception focused on "de-identified" with a narrow | definition of PII. ___________________________________________________________________ (page generated 2022-02-05 23:00 UTC)