May 27th, 2022


How Your Most Private Healthcare Info Can be Revealed Despite Laws Saying Otherwise

Charles Ornstein

By Charles Ornstein

Published Nov. 23, 2015

How Your Most Private Healthcare Info Can be Revealed Despite Laws Saying Otherwise

Jacqueline Stokes spotted the home paternity test at her local drugstore in Florida and knew she had to try it. She had no doubts about the paternity of her daughter, but as someone with an interest in genetics, she couldn't resist.

At home, she carefully followed the instructions, swabbing inside the mouths of her husband and their child, placing the samples in the pouch provided and mailing them to a lab. A few days later, the cybersecurity consultant went online to get the results. Part of the lab's website address caught her attention, and her professional instincts kicked in. By tweaking the URL slightly, a sprawling directory appeared that gave her access to the test results of 6,000 people.

The site was taken down after Stokes complained on Twitter. But when she contacted the Department of Health and Human Services about the seemingly obvious violation of patient privacy, she got a surprising response: Officials couldn't do anything about the breach.

The Health Insurance Portability and Accountability Act, a landmark 1996 patient-privacy law, covers only patient information kept by health providers, insurers and data clearinghouses, as well as their business partners. At-home paternity tests fall outside the law's purview. For that matter, so do wearables such as Fitbit that measure steps and sleep, gene testing companies such as 23andMe, and online repositories where individuals can store their health records.

In several instances, the privacy of people using these newer services has been jeopardized, causing embarrassment or legal repercussions.

In 2011, for instance, an Australian company didn't properly secure details of hundreds of paternity and drug tests, making them accessible through a Google search. The company said that it quickly fixed the problem.

That same year, some users of the Fitbit tracker found that data they entered in their online profiles about their sexual activity and its intensity - to help calculate calories burned - was accessible to anyone because the company's default setting made profiles public. Saying it took all users' privacy "very seriously," Fitbit quickly hid the information.

And last year, a publicly accessible genealogy database was used by police to look for possible suspects in a 1996 Idaho murder. After finding a "very good match" with the DNA of semen found at the crime scene, police obtained a search warrant to get the person's name. Another warrant ordered his son to provide a DNA sample, which cleared the younger man of involvement.

The incident spooked genealogy aficionados; AncestryDNA, which ran the online database, pulled it this spring. "It has come to our attention that the site has been used for purposes other than that which it was intended, forcing us to cease operations," a statement on the site noted.

"When you publicly make available your genetic information, you essentially are signing a waiver to your past and future medical records," said Erin Murphy, a professor at New York University School of Law.

The true extent of the problem is unclear, because many companies don't know when the health information they store has been accessed inappropriately, experts say. A range of potentially sensitive data is at risk, including medical diagnoses, disease markers in a person's genes and children's paternity.

What is known is that the Office for Civil Rights, the HHS agency that enforces HIPAA, hasn't taken action on 60 percent of the complaints it has received because they were filed too late or withdrawn, or because the agency lacked authority over the entity that's accused. The latter accounts for a growing proportion of complaints, an OCR spokeswoman said.

A 2009 law called on HHS to work with the Federal Trade Commission - which targets unfair business practices and identity theft - and to submit recommendations to Congress within a year on how to deal with entities handling health information that falls outside of HIPAA. Six years later, however, no recommendations have been issued.

The report is in "the final legs of being completed," said Lucia Savage, chief privacy officer of the HHS Office of the National Coordinator for Health Information Technology.

None of this was useful to the 30-year-old Stokes, a principal consultant at the cybersecurity firm Mandiant. Four months after she filed her complaint with OCR, it suggested she contact the FTC. At that point, she gave up.

"It just kind of seems like a Wild West right now," she said.

Advances in technology offer patients ways to monitor their own health that were impossible until recently: Internet-connected scales to track their weight; electrodes attached to their iPhones to monitor heart rhythms; virtual file cabinets to store their medical records.

"Consumer-generated health information is proliferating," FTC Commissioner Julie Brill said at a forum last year. But many users don't realize that much of it is stored "outside of the HIPAA silo."

HIPAA seeks to facilitate the flow of electronic health information, while ensuring that privacy and security are protected along the way. It applies only to health providers that transmit information electronically; a 2009 law added business partners that handle health information on behalf of these entities. Violators can face fines and even prison time.

"If you were trying to draft a privacy law from scratch, this is not the way you would do it," said Adam Greene, a former OCR official who's now a private-sector lawyer in Washington.

In 2013, the Privacy Rights Clearinghouse studied 43 free and paid health and fitness apps. The group found that some did not provide a link to a privacy policy and that many with a policy did not accurately describe how the apps transmitted information. For instance, many apps connected to third-party websites without users' knowledge and sent data in unencrypted ways that potentially exposed personal information.

"Consumers should not assume any of their data is private in the mobile app environment --- even health data that they consider sensitive," the group said.

Consider a woman who is wearing a fetal monitor under her clothes that sends alerts to her phone. The device "talks" to her smartphone via wireless Bluetooth technology, and its presence on a network could be detected by others, alerting them to the fact that she's pregnant or that she may have concerns about her baby's health.

"We've seen this in the tech market over and over again," said David Kotz, a computer science professor at Dartmouth College who is principal investigator of a federally funded project that is developing secure technology for health and wellness. "What sells devices or applications are the features for the most part, and unless there's a really strong business reason or consumer push or federal regulation, security and privacy are generally a secondary thought."

In Florida, Stokes is one of those people enamored with emerging health technologies. Several years ago, she rushed to sign up for 23andMe to analyze her genetic profile. And when she was pregnant with her daughter, she purchased a test that said it could predict the sex of the fetus. (It was wrong.)

The paternity test kit that piqued her interest earlier this year advertised "accuracy guaranteed" for "1 alleged father and 1 child." It was processed in New Mexico by GTLDNA Genetic Testing Laboratories, then a division of General Genetics Corp.

When Stokes logged on for her results, she noticed an unusual Web address on her screen, and she wondered what would happen if she modified it to remove the ID assigned to her. She tried that and saw a folder containing the results of thousands of other people, which she was able to click through and read. "You wouldn't call that hacking," she said. "You would call that walking through an open door."

Bud Thompson, who until last month was the chief executive of General Genetics, initially said he had not heard about Stokes's discovery. A subsequent email provided an explanation.

"There was a coding error in the software that resulted in the person being able to view results of other customers. The person notified the lab, and the website was immediately taken down to solve this problem," he wrote. "Since this incident, we have sold this line of business and have effectively ceased all operations of the lab."

While Stokes was troubled by her experience, she was particularly disheartened by the response from the HHS Office for Civil Rights. "It was shocking to me to get that message back from the government saying this isn't covered by the current legislation and, as a result, we don't care about it," she said.

The agency's deputy director for health information privacy says there is no lack of interest. While it refers certain cases to law enforcement, OCR can barely keep up with those complaints that fall within its jurisdiction.

"I wish we had the bandwidth to do so," Deven McGraw said. "We would love to be able to be a place where people can get personalized assistance on every complaint that comes in the door, but the resources just don't allow us to do that."

Comment by clicking here.

Ornstein is a senior reporter at ProPublica, a nonprofit news organization in New York. Researcher Andrea Hilbert contributed to this report.