Who Owns Your Health Data?
Hint: It's Not You
The internet, the smartphone revolution, and the COVID pandemic all conspired to give us telehealth. It’s a grand idea—the sort of thing some people call “disruptive.” It has changed how we practice medicine, because we can now consult physicians or other clinicians online without having to come in for face-to-face visits. And it’s resulted also in a proliferation of gadgets, smart watches, thumb ECGs, glucose monitors, and other devices that we can now own to monitor specific health-related activities. Telehealth includes smartphone apps that monitor our sleep schedules or diets.
Look at FitBit. They make a little wristwatch-like device that can be used to count how many steps you take in a day, your heart rate during exercise, and other things. Seems hard to believe this kind of company is worth almost $2B. That seems like a lot. In 2021, FitBit was purchased by Google, and more on that later.
When physicians and oligarchs want to praise these devices, they talk about “empowered patients.” It’s true that people who dutifully log their sleep schedules (or allow smart devices to do it for them), write down everything they eat during the day, or count how many calories they burned during a workout compared to other workouts, are interested in their health or at least certain specific health-related objectives. But let me assure you that nobody wants an empowered patient. Nobody in power wants an empowered anybody. They just say you’re empowered so you help them do the work they want you to do for them.
The data collected by these systems are called patient-generated health data or PGHD. (Bear with me—data in this sense is a word that is plural.) PGHD are incredibly valuable because we have never really had this before. Up to now, the only patient data medical science could obtain was from in-clinic visits where doctors or nurses dutifully took notes on the patient’s condition or from clinical studies. The old-school physician and his or her staff would write down notes by hand and store them in those dusty color-coded manila folders. Another source of patient data came from clinical studies. Clinical studies are extraordinarily expensive to do and they study patients under very constrained and unrealistic situations. Plus, it’s hard to get people to participate in clinical trials, so we don’t have nearly as much clinical trial data as we would want.
PGDH provides nearly continuous real-world information, tons of it. If you wear a FitBit, the data shows how many steps you actually walked, not just today but all day every day. If you use a diet app, it records the food you said you are eating; it may also be recording your weight, how much water you’re drinking, and what your last cheat meal was. Telehealth apps are recording your conversations and texts. Glucose monitors are compiling all of your blood sugar readings, from whenever you first got the device to now.
Medical science has never had PGDH and now they have mountains of it. But let’s go back to the old-fashioned doctor, jotting down notes in your patient folder. Did you know that you didn’t own that folder? That folder belonged to the doctor or the clinic. The law, after some wrangling, begrudgingly allowed you to have access to your medical information, but you didn’t own it. And sometimes getting hold of your own medical information was as winning a Freedom of Information Act lawsuit against Hillary Clinton. That’s how empowered they want you to be.
Let’s consider a basic type of digital health device, a smartphone app. The app is set up to record something—let’s say how many hours you sleep in a day. This information does not live in your phone. It is transmitted from your phone to a data repository that is owned by the app company. Over time, the device company accumulates a ton of data on you. Sometimes, the device company helps to curate or organize that data, so you are able to go to your phone or tablet and download charts, statistics, or graphs. That means your data are going from app to company—at the very least—and your data may be flying around going from app to company to app again and to company again.
Any time your data are flying around loose, they are vulnerable to hacking. People generally don’t think that their sleep app or other tracker can be hacked, but hackers know something most people don’t. Medical science always talks tough when it comes to technology and science, but medical systems are notorious for not keeping up with technology. Every wonder why patient portal sites are so clumsy? Why doctors are sometimes six or ten months behind on billing? Medicine is hardly at the forefront of cybersecurity, even though medical privacy is supposed to be a big deal. Medical data can be hacked. You might wonder why anyone would want your sleep cycles or how many steps you’ve walked. Well, health data are (a) vulnerable and (b) may contain information sufficient for an identity theft. In other words, some hackers don’t care how many hours you sleep or how many steps you walk, they want your name, date of birth, address, and social. And that may be accessible to them via your device.
This isn’t some rare event. USA Today says that in 2023, the medical information of 144M Americans was stolen or exposed. (That is almost half of the country!) The word they use is “breached” which means bad guys have your data. Whether or not they used your data is another story, but your data are in their greasy little hands. Many times, your data shows up on the Dark Web, where they are sold. Your name, address, and social security number are all that is needed for a bad guy to start taking out loans in your name and doing other major damage.
Now let’s come back to FitBit and other similar systems that seem harmless. These companies make nifty devices that you might want. Most people buy them and use them without thinking about what they’re actually doing (same thing with smartphones and smart TVs, but that’s another story for another day). The data that the device records do not belong to you. If you study the Terms & Conditions, you’ll find out that FitBit owns the data. I’m not picking just on them—any of these trackers or apps owns your data.
And they sell your data.
Most people are shocked not so much that evil companies are selling personal health information but that their personal health information has any value. We think it’s just random information. But think about how this information might be used.
Could GPS data from a FitBit be used by federal agencies to track our movements?
Could data from a health app be leaked to insurance agents to tip them off about high blood sugar or high blood pressure, resulting in increased premiums?
Can information from a pocket ECG device be shared with potential employers and reveal if you might have a potentially dangerous heart condition?
And what about advertising—would advertisers be interested in knowing who is into running or dieting? Of course they would.
In the United States, most of these companies have to “aggregate” their data meaning they have to de-identify data (take names and other identifying information off) and then lump all of the data together. However, cyber-experts have discovered that in more than half of cases, clever sleuths can “re-identify” de-identified data. For instance, let’s say I have a bunch of de-identified health tracker data and I have help from artificial intelligence (AI). And let’s say that I know that Kamala Harris’s data are in the batch but I just don’t know what her specific data are. Let’s say there are 10,000 people in this batch of de-identified data. All I have to do is start matching. If I know Kamala was in Georgia on a specific day, then all I have to do is eliminate the data reports for people not in Georgia that day. If I know Kamala was giving a speech at 10 p.m. on a specific evening while she was in Georgia, then all I have to do is find data that shows a person who is up and about at that time in Georgia. See how they can they re-identify your data? True, it’s a lot of work, but it’s a lot of work to rob a bank, too.
Plus, they can still sell your data. Once the device has your data, the parent company is free to sell, trade, or give it to whoever they want and you have no control over it. For instance, let’s imagine a person with substance use disorder who uses a telehealth app. The company who makes the app may have to de-identify that data in the United States. But that app company can sell the data elsewhere, for instance, to a company in India. In that case, India’s laws would prevail and India has notoriously lax data privacy laws. So no matter what the United States does with data privacy, companies can simply offshore data. And then it may be possible for people to find out very personal information such as who is dealing with addiction, who has mental health conditions, who has attempted suicide.
In 2021, Google shelled out over $1B to buy FitBit in what seemed to some on the surface to be a strange takeover. The technology necessary to build a FitBit is not space-age stuff. Google could have easily designed its own tracker, if that’s what it wanted. Of course, Google didn’t want the tracker technology. It wanted the data. When FitBit was sold to Google, Google bought all of the FitBit data.
On the surface, it might look like FitBit data would only be useful for advertising. Google could now better target runners, walkers, athletes, and such people for various products. It could target people overweight people for diet ads. I’m sure Google does that.
But remember, Google’s original motto was: “Don’t be evil.” What kind of organization takes that as its motto unless it knows that evil is lurking at the door?
The real reason Google wants all of the PGHD in the world is simple. They’re building healthcare AI. Google was originally founded not as a search engine or even an advertising behemoth. Those were just pitstops along the way to world domination. Google started its search engine to gather the data to build AI. (Ever wonder why Google never charged for searches? Even charging a penny a search could have netted them billions a day! But they wanted to be the main search engine on earth because they needed to know the way—the language—that people used when they searched for information.) Google wanted search language to create AI which, remember, are called “large language models.” The currency was language.
Now imagine matching the linguistic AI that we have come to know and hate with health data. You can now have virtual physician’s assistant, virtual nurses, virtual drug counselors, virtual weight-loss clinics. You can have chatbots writing prescriptions. AI can help these large language models to ask the right questions and give one-size-fits-all medical answers.
For instance, from step-trackers, we know how many steps it takes people to lose weight, likely based on their age, fitness level, and current weight. Dr. AI can now advise you based on this input.
You know who else buys medical data? Researchers. It can costs hundreds of thousands of dollars, but you can buy prescription records or other medical data from large insurance companies or other organizations. These data are de-identified but are amazingly comprehensive. For instance, if you wanted to see how many people have a prescription for benzodiazepines and also attempted or completed suicide, you can buy that data, if you are willing to write out a hefty check.
On the surface, it seems helpful. De-identified group data can help us shape healthcare policy or know what drugs people are taking. Medical companies buy the data too, to conduct studies or see what side effects are reported.
Managing vast PGHD data into workable chunks of advice might help “empower” patients. But remember, somebody is getting rich off this and it isn’t you. You even paid for the equipment to collect your own data.
So how are these data used?
Big Pharma can buy prescribing information which helps them to target doctors most likely to prescribe their products. It’s not unusual for these big drug companies to shell out $10M or more per year to get that information. T
his prescribing information can also help them know which drugs to develop—if the market is booming for psychiatric drugs, that’s what they’ll make.
Financial analysts use the data for stock trading—big blockbuster drugs can drive up stock prices.
Academicians and researchers (usually working directly for the government or indirectly through grants) use these data to study disease patterns, patterns of drug use, and health trends. For instance, they can look at health data and find out pretty quickly that our elementary school kids are being over-medicated.
Employers, attorneys, insurances companies, and advertisers all cough up big bucks to buy medical data. They say this is to spot health trends. For instance, right now, they’re buying up data that says we’re all obese.
It is illegal to use healthcare data to blackmail, exploit, or discriminate against people. It’s also illegal to enter the United States illegally, but here we are. We live in lawless times.
Bottom line:
Your private health data have value, and they are likely being bought and sold and bouncing all over the world—with not a penny for you
It would seem as if we might offset some of our tremendous healthcare costs by requiring some of the data money to offset care costs
Although companies technically disclose that they’re selling your data, they obscure it in lengthy legalese Terms & Conditions that are hard for non-lawyers to understand. Most people—and most physicians—do not know that your wearable-device health data are being trafficked.
Your information is likely de-identified and if you don’t care that people know how many steps you walk per day or what you weigh, that’s fine. But know that these data can be attached to personal data that can be hacked.
If you use 23andMe or any of the DNA testing services, know that they sell data plus courts have ruled that since they are neither healthcare providers nor insurance companies, they are not bound by the same privacy laws as medical devices. So some of these data thieves have helpful legal loopholes. (By the way, the co-founder and CEO of 23andMe is Anne Wojcicki and she was the wife of Sergey Brin until 2015. You may remember Sergey as the Russian tech guy who co-founded Google. Anne Wojcicki is also the sister of the late Susan Wojcicki, who was a key player in the early days of Google and was one of its first employees; she went on to be CEO of YouTube, which was sold to Google in 2006. Google is all over this stuff. )
This article came about when I got an invitation to join a clinical study for people with a specific genetic disorder. I have the bad gene but not the disease. I wondered how they knew to ask me about this since nobody knew this information except for 23andMe. My own doctor didn’t know it, neither did any hospital I had ever been to, and I’ve never been treated or seen a doctor for the condition. But I got an ad for people with a specific gene who might want to join a clinical trial. When I asked some physicians about this, they assured me that it was a random mailing and companies like 23andMe don’t sell data.
They do. Just about anybody who offers you a digital service is collecting your data and selling it. And doctors and patients should know.
Whew... Interesting and scary! Thanks!