The Rite Aid Scandal: Health Records Still Treated as Commodities

Billy Wharton writes in CounterPunch:

The mega drug store chain Rite Aid recently agreed to pay a $1 million fine to stave off a full investigation by the Federal Trade Commission (FTC) into practices that may have compromised customer records. The agreement was prompted by news reports that Rite Aid stores in several locations had disposed of confidential customer medical information in easily accessible open trash dumpsters. The story was a minor news blip in the business and health industry pages. However, it raises much larger questions about how the for-profit private healthcare system has transformed the nature of medical records.

The article also cites this site:

The market for such healthcare related information seems to be expanding rapidly. A report issued in 2008 by the whistleblower Private Health Information Privacy website indicated that from 2003-2007 there were 291 incidents of stolen healthcare records that may have compromised the records of more than 16 million people. 75% of these incidents involved employees of health related companies selling the information to third parties.

The for-profit healthcare giant Kaiser Permanente has been cited on several occasions for allowing patient records to be exposed. In one instance, a laptop containing some 160,000 patient records was stolen and the information compromised. Often patient information is then used in elaborate schemes to bilk public and private healthcare programs. Healthcare information now has a murky underworld that is expanding as the economic bubble around the healthcare industry continues to be inflated.

You can read more of the article in CounterPunch.

The article does not specifically mention extortion demands based on allegedly hacked or compromised databases containing protected health information, but that’s also a useful example of how much of a commodity our health information may be. We still have no idea what really happened with Express Scripts, and I presume that is because the Secret Service or other federal agencies are still investigating the matter. We still have no idea what really happened with Virginia’s prescription database, and I presume that that, too, is still being investigated. Have the reportedly acquired data shown up in online forums where people buy and sell personal information?

Of course, the extortionists are not the most common risk. The most common risk I see is that marketers get hold of our information without our knowledge or express consent. I recently handed my husband a piece of mail that came in. It had been addressed to him and had his current prescription information on it with a suggestion that he could save money by switching to [their suggestion]. How did they get his prescription information? The pharmacy chain provided it to them, of course. Had my husband ever known or consented to the pharmacy providing this information to their associate or others? No. Was it legal for them to do so? Yes. Was it right — from a patient privacy perspective — for them to do so? Not in my opinion.

With every transfer of data between entities, the risk of a security breach or privacy breach increases. With every transfer of data between entities, the likelihood that our data can be combined with information about us in other databases increases. At this rate, in a few years we will not need to fear any “Show me your papers” state. Even worse, we will be living in a “We have all your papers” state.

About the author: Dissent