[HN Gopher] Decades-old IBM database became profitable dossier o...
___________________________________________________________________
Decades-old IBM database became profitable dossier on health of
270M Americans
Author : walterbell
Score : 147 points
Date : 2022-02-03 04:50 UTC (2 days ago)
(HTM) web link (www.statnews.com)
(TXT) w3m dump (www.statnews.com)
| rr808 wrote:
| Just imagine the FB database in 20 years. Maybe its open by then
| walterbell wrote:
| UK Health Security Agency (HSA) has a comprehensive page on test
| & trace data management,
| https://www.gov.uk/government/publications/nhs-test-and-trac...
| (Dec 2021 update)
|
| _> Under data protection law, you have several rights over your
| personal information. You can exercise any of your rights by
| contacting us at InformationRights@UKHSA.gov.uk
|
| > COVID-19 data may need to be shared with WHO for research
| purposes and where required to help trace contacts
| internationally. These are restricted transfers made on the basis
| of being important for reasons of public interest, where we rely
| on one of the derogations under Article 49(1)(d) of the GDPR.
|
| > Personal information includes ... name, DOB, address, employer,
| locations visited, travel itinerary, mental health, lifestyle,
| social circumstances, ethnic origin, DNA/biometric data ... We
| send personal information to ... Amazon, AWS, Deloitte, MoD,
| NCSC, ONS, Police, Palantir, Serco, WHO_ [and others]
| sha256sum wrote:
| There's also MIB Group (Medical Information Bureau) which
| collects healthcare data as part of an exemption to the fair
| credit reporting act, along with an extensive astroturfing
| campaign to hide their activities (the Wiki article on them is
| useless).
|
| > In addition to an individual's credit history, data collected
| by MIB may include medical conditions, driving records, criminal
| activity, and participation in hazardous sports, among other
| facts. MIB's member companies account for 99 percent of the
| individual life insurance policies and 80 percent of all health
| and disability policies issued in the United States and Canada.
|
| https://www.ftc.gov/news-events/press-releases/1995/06/medic...
|
| You may request the data they have on you and allegedly you can
| dispute the information.
| SilasX wrote:
| Tangent, but ... they picked the _acronym MIB_? I had to look
| it up, and the term Men in Black in the lay usage dates to
| 1947.[1] But the group MIB dates to 1902, so just a
| coincidence.
|
| [1] https://www.history.com/news/men-in-black-real-origins
| smrtinsert wrote:
| > IBM's efforts to use the repository to transform broad swaths
| of the health care system ultimately fizzled. The company
| struggled to create the cloud storage and computing
| infrastructure needed to combine all the data so it could be
| analyzed by its AI and analytics machinery.
|
| Wow still? I'm a little surprised by this as almost as lots of
| cloud offerings these days seem designed for massive scale.
| Tempest1981 wrote:
| I wonder what they plan to do with our data? I found this:
|
| - Francisco Partners is a leading global investment firm that
| specializes in partnering with technology and technology-enabled
| businesses.
|
| - FP's current and past investments include such companies as
| BeyondTrust, ClickSoftware, GoodRx, Ichor Systems, iconectiv,
| LegalZoom, Quest and Verifone.
|
| and from the article:
|
| - Francisco Partners had previously purchased stakes in the
| telemedicine and drug coupon company GoodRx, the virtual
| appointment booking company ZocDoc, and Edifecs, a company that
| builds software to enable a more seamless exchange of data.
|
| - The firm declined to comment on the acquisition or its plans
| for the MarketScan database.
| airstrike wrote:
| There are literally dozens of PE firms and VC funds investing
| in Healthcare IT... and not necessarily for nefarious ulterior
| motives
| walterbell wrote:
| Quite a portfolio: - BeyondTrust: admin
| credentials - ClickSoftware: service chain mgmt -
| GoodRx: prescriptions - LegalZoom: LLC identity, IP
| - Quest: security/identity, Erwin data modeler -
| SonicWall: firewall - Verifone: retail POS transactions
| - ZocDoc: doc-patient calendar
| hedora wrote:
| > _He started by reaching out to the biggest corporations. If
| they would agree to give him data on their employees' paid
| medical claims, he would return to them an analysis of their cost
| drivers, benefit designs, and manageable risks that would give
| them leverage in negotiations with insurers_
|
| What? Isn't this exactly the sort of thing HIPAA is supposed to
| ban? What happened to doctor-patient confidentiality? Why do
| employers even have that information?
| walnutclosefarm wrote:
| The data is de-identified, and thus not subject to HIPAA
| restrictions.
|
| It's not made entirely clear in the article, but most of this
| data is insurance claims data, not medical records per se.
| That's why employers have it. If your employer underwrites your
| medical claims directly - which most do nowadays - when you or
| your doctor submits an insurance claim, they are submitting it
| to your employer. It may go through a health insurance company
| - since most employers hire one to administer their plans - but
| that insurance company is collecting the information on behalf
| of the plan owned by your employer. The fact that it's
| insurance claims and not raw medical records is one of the
| challenges IBM had in making a business out of analyzing it.
| There is a lot less and less quality, medical data in insurance
| claims than IBM hoped.
| peterth3 wrote:
| > Medical data mining companies have made a business of
| scraping the details of consumers' daily lives into medical
| dossiers that, if combined with MarketScan's de-identified
| information, could be used to re-identify the individuals
| within its databases.
|
| De-identification is unreliable. If you have enough context,
| then the patients can be re-identified.
| capableweb wrote:
| The clues are a bit earlier in the article and the full name of
| HIPAA
|
| > The financial trajectory of MarketScan was perhaps
| unimaginable in 1981, when a former insurance executive named
| Ernie Ludy founded the company. His idea was to simply collect
| patients' data and parcel it out to big companies that were
| seeking to control costs by getting a more granular view of
| their employees' health care use.
|
| > The Health Insurance Portability and Accountability Act of
| 1996
| hedora wrote:
| Ahh, thanks. Should have kept reading. However, a paragraph
| or so later, it says HIPAA doesn't apply to de-indetified
| data, and that it's easy for researchers to buy the data set.
|
| Hopefully, some security researchers will get their hands on
| it, de-anonymize the data set, and then regulators will burn
| the industry to the ground.
| ghaff wrote:
| >HIPAA doesn't apply to de-indetified data
|
| Although I'd point out that very little is needed to un-
| deidentify medical records if you want to. For example, see
| some of the work Latanya Sweeney has done.
|
| http://latanyasweeney.org/ https://arstechnica.com/tech-
| policy/2009/09/your-secrets-liv...
| nerdponx wrote:
| Or it will just keep on going with the HIPAA fig leaf like
| before. See also: credit rating agencies, ad targeting.
| zitterbewegung wrote:
| Wow, this person had a Data Science company in 1981 that was
| actually profitable.
| brilee wrote:
| https://en.wikipedia.org/wiki/FICO how about 1956?
| nexuist wrote:
| Computer science evolves in a circle. Analyzing data for
| meteorological predictions was one of the first uses of a
| digital computer; it just wasn't hip at the time and
| involved 0 pandas.
| rubatuga wrote:
| > import tensorflow as tf
| gravypod wrote:
| IANAL but I think HIPAA:
|
| 1. Only applies to covered entities.
|
| 2. Data can be given to another covered entity as long as
| certain rules are followed.
|
| Very easy to have a web of people giving each other data
| because of this.
| NightMKoder wrote:
| Yep and covered entities are usually related to billing for
| medical care. As an example, almost all life insurance
| companies are not even hipaa compliant because they aren't
| covered entities.
|
| In net - hipaa doesn't protect medical information generally
| - only the subset that's usually visible to doctors. And even
| then, it stops working as soon as the info is outside a
| covered entity.
| Spooky23 wrote:
| HIPPA is a joke and basically stopped gossip.
|
| "Hot" conditions with high conversions are tracked in near
| real-time. I learned this when we received via FedEx a box of
| Enfamil on what should have been the due date of of daughter.
| Unfortunately, we miscarried.
| walnutclosefarm wrote:
| Very sorry about your pregnancy.
|
| But I can assure you that your pregnancy was not revealed to
| a marketing organization by your doctor or insurance company.
| HIPAA prohibits that kind of information transfer, and the
| consequences of violating the law are severe enough that
| physicians and insurers are highly unlikely to risk it, for
| the little bit of dough they'd get by selling the fact of a
| pregnancy.
|
| However, HIPAA only protects information about you gathered
| by your doctor or insurance company in the course of
| providing medical care. It does not protect you against data
| aggregators inferring your condition based on non-medical
| activities. In the case of pregnancy, it's not unlikely that
| your condition was inferred from credit card activity or
| online retail activity. (There is a well known case of a
| retailer - Target - building a model that inferred a
| pregnancy in a household based on retail activity; they
| started sending flyers/adverts to households they had
| identified as pregnant, and in the process revealed
| pregnancies of wives or daughters in the household to others
| who had not been in read in to the news; it did not end well
| for Target).
| LancerSykera wrote:
| As a fedex driver I always dreaded delivering those. Not
| because of the possibility of unfortunate outcomes such as
| yours (never crossed my mind), but because I knew they were
| unsolicited "gifts" that came from big data schemes like
| this. Just like how marketing companies know that you're
| pregnant even before you do.
| walterbell wrote:
| Potential use case for guerrilla sticker educational
| program.
| loeg wrote:
| HIPAA (one P, two As) is chiefly for data portability between
| doctors; not privacy. HIPAA is not intended to and does not
| protect your medical information from insurers.
|
| Sorry to hear about your daughter. That is really tough.
| MrDunham wrote:
| Correct, though it's interactions between any of doctors,
| payors (insurers), and information brokers (more like
| clearing houses if I remember correctly) - between
| themselves or each other.
|
| So if any of them or their business associates got the
| information and sold it that would be a violation. But if
| say Target figured it out because she was buying a lot more
| orange juice and lotion (true story, Target's ability to
| figure out who's pregnant is legendary) and sold that into
| it would not be covered under HIPAA
| thaumasiotes wrote:
| > HIPAA (one P, two As)
|
| There's a weird thing going on where everyone pronounces it
| as if it were spelled "hippa", and then everyone believes
| it must be spelled that way because of how it's pronounced.
|
| It doesn't seem to have occurred to anyone to pronounce it
| in a way that's compatible with the spelling.
| Froedlich wrote:
| > What happened to doctor-patient confidentiality?
|
| It was cast by the wayside long ago. First it was the "mental
| health" exemptions, then various law enforcement provisions,
| then third-party "office solutions", then transcriptionist
| services, then private medical databases...
|
| You might as well assume that anything you tell your doctor is
| going to be recorded and (eventually) used against you.
|
| And then, as was alluded to earlier, there's the problem of
| incorrect information in those databases... and your only
| recourse is to give them more-accurate information to sell.
|
| All the dice are loaded against the patient. And as anyone
| online for long knows, data is forever.
| icegreentea2 wrote:
| The information is supposedly de-identified. That means it's
| not a HIPAA violation. You can look at the HIPAA de-
| identification standard right over here
| (https://www.hhs.gov/hipaa/for-
| professionals/privacy/special-...).
| alexb_ wrote:
| I will never believe someone when they say info is "de-
| identified", because even if it is, it is shockingly easy to
| pinpoint 1 person out of millions based on a very small
| number of unique factors.
| tomrod wrote:
| There are academic subfields that study the risk of de-
| identification.
| samhw wrote:
| I think it's because the word "anonymous" permeates our
| understanding of the concept, and - even for people who
| didn't actually study Greek - the tie to "name" is clear.
|
| We need to understand that "knowing someone's identity" is
| not coextensive with "knowing their name", and that in fact
| knowing someone has a rare medical condition may be _more_
| identifying[0] than knowing their name.
|
| [0] Or k-deanonymising, for anyone who's pedantic about
| identity being an absolute.
| walnutclosefarm wrote:
| I spent a good deal of my professional life in the last
| decade dealing with the problem of de-identifying medical
| data. You are correct that it's hard, but the HIPAA rule is
| actually not a bad go at it. See
| https://www.hhs.gov/hipaa/for-
| professionals/privacy/special-....
|
| For the kind of data in this particular database (mostly
| insurance claims data), it's highly unlikely that you could
| learn much through re-identification of the data.
| nerdponx wrote:
| A lot of people simply don't know this. Politicians either
| don't know or claim to not know.
|
| This is a good example of the law and popular conception of
| a concept being badly out of date, to the advantage of
| industry and disadvantage of regular people. Therefore
| industry has a vested interest in keeping the public
| perception focused on "de-identified" with a narrow
| definition of PII.
___________________________________________________________________
(page generated 2022-02-05 23:00 UTC)