For decades researchers have run longitudinal studies to gain new insights into health and illness. By regularly recording information about the same individuals' medical history and care over many years, they have, for example, shown that lead from peeling paint damages children's brains and bodies and accept demonstrated that loftier claret pressure and cholesterol levels contribute to heart affliction and stroke. To this day, some of the original (and at present at least 95-twelvemonth-old) participants in the famous Framingham Heart Report, which began in 1948, still provide health data to study investigators.

Health researchers are not the merely ones, all the same, who collect and analyze medical data over long periods. A growing number of companies specialize in gathering longitudinal information from hundreds of millions of hospitals' and doctors' records, also as from prescription and insurance claims and laboratory tests. Pooling all these information turns them into a valuable commodity. Other businesses are willing to pay for the insights that they tin can glean from such collections to guide their investments in the pharmaceutical manufacture, for case, or more than precisely tailor an advertizing entrada promoting a new drug.

By law, the identities of anybody found in these commercial databases are supposed to be kept secret. Indeed, the organizations that sell medical information to information-mining companies strip their records of Social Security numbers, names and detailed addresses to protect people's privacy. Just the data brokers also add together unique numbers to the records they collect that permit them to match disparate pieces of information to the same individual—even if they practice not know that person's name. This matching of information makes the overall collection more valuable, simply every bit data-mining technology becomes ubiquitous, it also makes it easier to learn a previously anonymous private'south identity.

At present, the arrangement is and then opaque that many doctors, nurses and patients are unaware that the information they record or divulge in an electronic health record or the results from lab tests they request or consent to may be anonymized and sold. But they will not remain in the dark about these practices forever. In researching the medical-information-trading business for an upcoming book, I have constitute growing unease virtually the ever expanding sale of our medical data non just among privacy advocates but amidst health industry insiders equally well.

The entire health care arrangement depends on patients trusting that their information volition be kept confidential. When they learn that others have insights into what happens between them and their medical providers, they may be less forthcoming in describing their conditions or in seeking aid. More and more health care experts believe that information technology is time to prefer measures that give patients more control over their data.

Multibillion-Dollar Business organization

The dominant thespian in the medical-data-trading industry is IMS Wellness, which recorded $two.half dozen billion in revenue in 2014. Founded in 1954, the company was taken private in 2010 and relaunched as public in 2014. Since then, it has proved an investor favorite, with shares ascension more l percent in a higher place its initial cost in little more than a yr. At press fourth dimension, IMS was a $9-billion company. Competitors include Symphony Health Solutions and smaller rivals in various countries.

Decades ago, before computers came into widespread utilize, IMS field agents photographed thousands of prescription records at pharmacies for hundreds of clerks to transcribe—a slow and costly process. Present IMS automatically receives petabytes (tenfifteen bytes or more) of data from the computerized records held by pharmacies, insurance companies and other medical organizations—including federal and many land health departments. Three quarters of all retail pharmacies in the U.S. ship some portion of their electronic records to IMS. All told, the company says it has assembled half a billion dossiers on individual patients from the U.Southward. to Australia.

IMS and other data brokers are not restricted by medical privacy rules in the U.Southward., considering their records are designed to exist anonymous—containing just year of birth, gender, partial zip lawmaking and physician's proper noun. The Health Insurance Portability and Accountability Human activity (HIPAA) of 1996, for example, governs only the transfer of medical information that is tied directly to an private'south identity.

Even anonymized, the data control premium prices. Every year, for example, Pfizer spends $12 million to buy health data from a variety of sources, including IMS, co-ordinate to Marc Berger, who oversees the analysis of anonymized patient data at Pfizer. Only companies engaged in the data trade tend to keep the practice below the general public'south radar.

Example in point: In the 1990s IMS started selling information on what individual U.Due south. physicians prescribe to patients to assist drug companies tailor sales pitches to specific care providers. (HIPAA protects the identity of patients, not health care workers.) For years doctors did not realize that outsiders had insights on their prescribing habits. "At the fourth dimension, information technology was taboo. It was forbidden to ever mention that topic," says Shahram Ahari, who used such data as a pharmaceutical representative visiting doctors for Eli Lilly from 1999 to 2000 and is now completing a residency at the University of Rochester. "It was the big clandestine." Asked for a response, an Eli Lilly spokesperson replied in an e-mail, "We have e'er been up front that we receive data from IMS."

Eventually physicians caught on and complained. Some considered such data gathering a privacy invasion; others objected to commercial firms profiting from details nearly their practices. A few states passed laws banning the collection of physician-prescribing habits. IMS challenged those rules all the way to the U.South. Supreme Court and—despite the arguments of 36 states, the Department of Justice, and numerous medical and consumer-advocacy groups supporting information limits—won its example in 2011 on corporate "free speech" grounds. The practice continues to this day, much of the fourth dimension across public detect.

What Could Get Wrong?

In one case upon a time, simply removing a person'south name, address and Social Security number from a medical tape may well have protected anonymity. Not then today. Straightforward data-mining tools can rummage through multiple databases containing anonymized and nonanonymized data to reidentify the individuals from their ostensibly individual medical records.

Indeed, computer scientists have repeatedly shown how like shooting fish in a barrel it tin can be to crack seemingly anonymous data sets. For example, Harvard University professor Latanya Sweeney used such methods when she was a graduate student at the Massachusetts Institute of Technology in 1997 to place and then Massachusetts governor William Weld in publicly available hospital records. All she had to practice was compare the supposedly bearding infirmary data about state employees to voter registration rolls for the city of Cambridge, where she knew the governor lived. Presently she was able to zero in on sure records based on age and gender that could have only belonged to Weld and that detailed a recent visit he fabricated to a hospital, including his diagnosis and the prescriptions he took abode with him.

"It is getting easier and easier to place people from anonymized information," says Chesley Richards, director of the Function of Public Health Scientific Services at the Centers for Illness Control and Prevention. "Yous may not be identifiable from a particular data set that an entity has nerveless, but if you are a banker that is assembling a number of sets and looking for ways to link those data, that's where, potentially, the chance becomes greater for identification."

IMS officials say they have no interest in identifying patients and take conscientious steps to preserve anonymity. Moreover, there are no publicly recorded instances of someone taking anonymized patient data from IMS or a rival company and reidentifying individuals. Nonetheless IMS does not desire to talk too much about the gathering and selling of longitudinal data. At IMS, the CEO, the head of its Constitute for Healthcare Informatics, the vice president of industry relations and the chief privacy officeholder declined to exist interviewed for this article, but a company spokesperson did assistance with fact-checking.

Where to Draw the Line?

Apart from making money selling information to other businesses, IMS also shares some data with academic and other researchers for free or at a discount. The company has published a long list of medical manufactures that relied on its longitudinal information. For example, researchers learned that newer cardiovascular drugs reduce the length of hospital stays merely do not prolong lives. In dissimilarity, newer chemotherapy drugs are probably responsible for some of the recent pass up in expiry rates from cancer in France.

Such benefits demonstrate that amassing medical information from multiple sources can have societal benefits. There is, notwithstanding, a difference, says Jerry Avorn, a professor of medicine at Harvard Medical School, between "conscious, responsible researchers who only want to acquire well-nigh medications' good and bad effects in a university medical schoolhouse setting versus somebody sitting in the backroom [of a superstore] trying to figure out how can they sell more of product Ten by invading someone's privacy."

1 pocket-size step toward reestablishing trust in the confidentiality of medical information is to requite individuals the adventure to forbid collection of their data for commercial use—an pick the Framingham written report now offers its participants, as does the state of Rhode Island in its sharing of anonymized insurance claims. "I personally believe that at the end of the twenty-four hour period, individuals ain their data," says Pfizer's Berger. "If somebody is using [their] information, they should know." And if the collection is "but for commercial purposes, I recall patients should have the power to opt out."

Seeking more detailed consent cannot, by itself, stem the erosion of patient privacy, but information technology will raise awareness—without which no further action is possible. Trust in the medical system is too vital to be sacrificed to uncontrolled market place forces.

This reporting project was funded by a Reporting Award at New York University's Arthur L. Carter Journalism Constitute.