Under-the-Radar Health Information Markets: the Supply, the Demand, and the Exploited.

Nowadays, it is not a secret that healthcare providers — such as hospitals — can store and utilize individuals’ health information. Hospitals keep records of individuals so that the diagnosis can be based on more information, and some countries even have a health information exchange system among different hospitals for the same purpose.

Yet, there are also some unnoticeable health information markets that are growing rapidly by consuming your health data without your awareness or explicit consent. In the following paragraphs, I will examine the players in the under-the-radar health information market from the view of supply and demand. I will then wrap up the article by raising awareness of the high risks that individuals face.

The Supply: Who is accessing and supplying your health information without your consent?

Health Data Brokerage Industry

In general, data brokers refer to entities that collect information about individuals and sell that data to other data brokers, companies and individuals. Accordingly, health data brokers refer to those who particularly focus on health information. In the US, Health data brokers can legally buy and sell anonymous (de-identified) data under the Health Insurance Portability and Accountability Act (HIPAA), as well as non-anonymous health data not covered by that privacy standard, including what you put into search engines and health websites [1].

“Your medical data is for sale — all of it.”

— The Guardian

One of the biggest health data brokers in the field is IMS Health (now called “IQVIA” after the merge). According to Forbes, IMS claimed it “processes data from more 45 billion healthcare transactions annually and collects information from more than 780,000 different streams of data worldwide.[2]” It is noteworthy that data brokers do not have a direct relationship with the people who they are collecting data from — meaning that people tend to be unaware of their data being collected and sold.

Health Data Breaches

Throughout history, one of the common ways for criminals to get something valuable is via stealing — and at the age of the internet, it becomes data breaches. Suggested by the Forbes, healthcare industry is now the most cyber-attacked industry. In the United States alone, between 2009 and 2017, there have been 2,181 healthcare data breaches that have resulted in the exposure of 176,709,305 healthcare records — accounting for 54.25% of its population [3]. In 2016, there were 9 times more medical than financial records breached [4]. It is also noteworthy that 75% of those records were exposed or stolen as a result of hacking or IT incidents, signaling how criminals saw value in the actions [5].

Every year, with the exception of 2015, the number of healthcare data breaches (in the USA) has increased, rising from 199 breaches in 2010 to 344 breaches in 2017.

Apart from the United States, Australia and Singapore also recently faced a serious health data breach. The Office of the Australian Information Commissioner has revealed in July 2018 that there have been more than 300 major data breaches this year — among which healthcare sector was the worst hit with 49 major data breaches [6]. Singapore, on the other hand, also suffered from one of the worst cyber attacks in history this year. Hackers invaded the computers of SingHealth, Singapore’s largest group of healthcare institutions, and stolen the health records of 1.5 million patients — including Prime Minister Lee Hsien Loong [7].

Darknet Market

Darknet Market, also known as the “Dark Web” or the “Deep Web”, can be seen as an online form of black market. Many of health records from the previously mentioned data breaches go to the darknet market for sale.

“Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number.” — PhishLabs.

On the dark web, complete health records normally contain an individual’s name, date of birth, social security number, and medical information. Such records can sell for as much as $60 a piece, whereas stolen credit cards sell for just $1 to $3 [8]. The prices might vary due to the number of items available in the package, characteristic of the victim, the source of the stolen data and the underground reputation of the sellers [9].

Source: Redsocks Malicious Threat Detection (11st Apr 2018), Dark Web: The Harmful Business of Medical Data. Available at: https://www.redsocks.eu/blog-2/dark-web-the-harmful-business-of-medical-data/

According to Guardian, a darknet trader even claimed to have access to any Australian’s Medicare details and can supply it upon request. The price for purchasing an Australian’s Medicare card details is 0.0089 bitcoin –equivalent to US$22 at the time [10].


The Demand: Who is buying your health information without your consent?

Medical Identity Theft

Medical identity theft, as defined by the World Privacy Forum, occurs when “someone uses a person’s identity without the person’s consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods” [11].

In the US, medical records have been in great demand from cybercriminals because they contain valuable personal information — such as name, address, date of birth and Social Security Number — all in one record [12]. With such information, criminals can access specific medical equipment or drugs available upon prescription — and then later sell them on the black market.

Pharmaceutical Companies

The pharmaceutical industry has traditionally depended on aggressive marketing for the products promotion. However, the traditional commercial method does not seem to do the trick anymore these days. Particularly, companies are failing to engage with patients when they look for information about symptoms in the early stages [13]. So by accessing more health information about individuals, they can gain better insights into the market and how to best interact with patients/consumers [14].

Besides the marketing aspect, to prove the value of their drugs, pharmaceutical companies have started to involve real-world data when conducting clinical studies over the past decade. Between 2010 and 2016, the average cost of bringing a drug to market has increased by 33%, yet the average peak sales decrease by 49%. Meanwhile, the market for precision medicine is expected to grow from $39 billion in 2015 to &87.7 billion by 2023 [15]. IMS Health, for instance, claims that pharmaceutical sales and marketing are a key part of IMS’ business, and its data also helps big pharma justify prices for drugs by demonstrating their effectiveness [16].


The Exploited: High risks, yet low (if any) returns for individuals

Your health information cannot exist without you. Yet, other people are benefiting from it instead of you.

All the health information that I mentioned above — whether it is in a data breach or being purchased by the pharmaceutical companies — are generated by individuals. Therefore, I believe it is fair to argue that individuals, instead of the data brokers or the hackers, have the most at stake — yet as it shows, receive the least benefits from the market.

Privacy is at stake

Most of the current legal protections (e.g. HIPAA) focus on removing personally identifiable information — such as name, phone number, address, date of birth — when it comes to health records. Health data brokers, for instance, tend to only deal with such de-identified health information when running their business. However, it is critical to realize that such method is no longer enough for securing one’s privacy as it is possible to re-identify those data what were de-identified. One of the popular ways to do so is by combing databases to fill in the blanks, which is also known as “mosaicking”[17].

“Enough anonymous data gathered over time will eventually contain enough clues to re-identify nearly anyone who has received medical care, posing a big potential threat to privacy [18].”

The Australian government, for instance, published medical billing records covers 2.9 million people on its open data website and those data were later found re-identifiable by using known information about the individuals [19]. With the increasing popularity of consumer genomics, a research has found out the “more than 60 per cent of Americans with European ancestry can be identified through their DNA using open genetic genealogy databases, regardless of whether they’ve ever sent in a spit kit [20].” In the below graph, Bloomberg shows how someone can successfully re-identify your medical records in 5 simple steps.

Source: Bloomberg Research

Pay the high price for being a medical identity theft victim

In the US, it is suggested that a medical identity theft can cost one about $13,500 to resolve [21]. Unlike the traditional financial identity theft, medical identity theft is more difficult to be discovered and dealt with. One of the main reasons is that health information tends to be very private and unchangeable — one cannot simply cancel his/her demographic data, family history, insurance information or medication.

Once you become a victim of medical identity theft, doctors might update your health records with the imposter’s medical information, which can lead to false treatment for you and medical bills that you have to pay for [22].

What’s it in for the individuals?

Bearing such costs and risks as mentioned, one would assume that there must be something in it for the individuals. But in my reality, I have never get rewarded (in any forms) from hospitals, pharmaceutical companies or health data brokers for utilizing my valuable health information — I believe that is the experience of almost everyone out there.

To conclude, our health information (in many forms) are in fact traded around more than we expected, both legally and illegally. From data brokers to hackers, entities get on hold of valuable and sensitive health information/data and make profits out of them. I believe the very first step is to raise public awareness as well as empowering individuals to request better control over their health information.


Reference:

[1] Fast Company (1st Apr 2018). Can this app that lets you sell your health data cut your health costs. Available at: https://www.fastcompany.com/40512559/can-this-app-that-lets-you-sell-your-health-data-cut-your-health-costs[2] Forbes (6th Jan 2014). Company that knows what drugs everyone takes going public. Available at: https://www.forbes.com/sites/adamtanner/2014/01/06/company-that-knows-what-drugs-everyone-takes-going-public/#2f37caf24c90[3] HIPAA Journal. Healthcare Data Breach Statistics. Available at: https://www.hipaajournal.com/healthcare-data-breach-statistics/[4] Forbes (Dec 2017). The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards. Available at: https://www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-is-in-your-medical-records-not-credit-cards/#5c7f7fa01b59[5] HIPPA Journal (Sep 2018), Study reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017. Available at: https://www.hipaajournal.com/study-reveals-70-increase-in-healthcare-data-breaches-between-2010-and-2017/[6] News.Com.AU (31st Jul 2018). Health sector tops the list as Australians hit by 300 data breaches since February. Available at: https://www.news.com.au/technology/online/hacking/health-sector-tops-the-list-as-australians-hit-by-300-data-breaches-since-february/news-story/5e95c47694418ad072bf34d872e22124 [7] The Strait Times (Jul 2018). Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore’s worst cyber attack. Available at: https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most[8] Fast Company (2016). On the Dark Web, Medical Records Are a Hot Commodity. Available at: https://www.fastcompany.com/3061543/on-the-dark-web-medical-records-are-a-hot-commodity[9] Redsocks Malicious Threat Detection (Apr 2018). Dark Web: The Harmful Business of Medical Data. Available at: https://www.redsocks.eu/blog-2/dark-web-the-harmful-business-of-medical-data/[10] The Guardian (Jul 2018). The Medicare machine: patient details of ‘any Australian’ for sale on darknet. Available at: https://www.theguardian.com/australia-news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-sale-on-darknet[11] World Privacy Forum. Medical Identity Theft. Available at: https://www.worldprivacyforum.org/category/med-id-theft/ [12] Entefy (Dec 2017). Medical records fetch a premium on the black market. Then along comes blockchain. Available at: https://www.entefy.com/blog/post/500/medical-records-fetch-a-premium-on-the-black-market-then-along-comes-blockchain[13] McKinsey & Company (May 2016). How pharma companies can better understand patients. Available at: https://www.mckinsey.com/industries/pharmaceuticals-and-medical-products/our-insights/how-pharma-companies-can-better-understand-patients[14] Lewis, R. J., Weintraub, S., Sitler, B., McHugh, J., Zan, R., & Morales, S. (2015). Results: The Future of Pharmaceutical and Healthcare Marketing. [15] Deloitte (2017). Life Sciences and Health Care Prediction 2022. Available at: https://www2.deloitte.com/uk/en/pages/life-sciences-and-healthcare/articles/healthcare-and-life-sciences-predictions.html[16] Fortune (9th Feb 2018). This Little-Known Firm Is Getting Rich Off your Medical Data. Available at: http://fortune.com/2016/02/09/ims-health-privacy-medical-data/[17] Forbes (2016). The Big Data Era of Mosaicked Deidentification: Can we Anonymize Data Anymore? Available at: https://www.forbes.com/sites/kalevleetaru/2016/08/24/the-big-data-era-of-mosaicked-deidentification-can-we-anonymize-data-anymore/#802d2be3f1e2[18] The Century Foundation (2017). Strengthening Protection of Patient Medical Data. Available at: https://tcf.org/content/report/strengthening-protection-patient-medical-data/?agreed=1[19] The Guardian (Jul 2018). ‘Data is a fingerprint’: why you aren’t as anonymous as you think online. Available at: https://www.theguardian.com/world/2018/jul/13/anonymous-browsing-data-medical-records-identity-privacy[20] Wired (2018). Genome Hackers Show No One’s DNA Is Anonymous Anymore. Available at: https://www.wired.com/story/genome-hackers-show-no-ones-dna-is-anonymous-anymore/[21] AARP (2017). Medical Identity Theft: It Can Cost You Thousands. Available at: https://states.aarp.org/medical-identity-theft-can-cost-thousands/ [22] Panda Security. Identity Theft. Available at: https://www.pandasecurity.com/mediacenter/news/identity-theft-statistics/

By Hsiang-Yun L. on July 01, 2019.

Coase Theorem in the World of Data Breaches

“This is a really serious security issue, and we’re taking it really seriously,…..I’m glad we found this, but it definitely is an issue that this happened in the first place.”

— Facebook CEO Mark Zuckerburg

(after the company’s security breach that exposed the personal information of 30 million users.[1])

We now live in a world of data. Every single day, each one of us generates some very personal data about what we see, where we go, who we talk to, what we think and even who we are. Data is quickly becoming one of the most critical factors of production in the current market economy. Yet, it also brings negative externalities that cannot and should not be ignored for the market to function effectively. Many economists have proposed theories and tools to tackle the problem of externalities. In this article, I am going to specifically focus on the solution proposed by Ronald Coase in 1960, and show how the theory can be applied to the modern world of data.

When the Market Fails

Before diving into the Coase Theorem, we first need to first talk about “externality”, which can be defined as the positive or negative consequences of economic activities on third parties [2]. The externality is considered to be a form of market failure — as it is the spillover effect of the consumption or production of a good that is not reflected in the price of the good [3]. That is, the market equilibrium fails to capture and reflect the real cost/benefit of economic activity. Some everyday externalities that people encounter including air pollution and cigarette smoking. Another classic example of a negative externality is described by Garrett Hardin in his scientific paper named “The Tragedy of the Commons”, which discusses how individuals tend to exploit shared resources so the demand greatly outweighs supply, and the resource becomes unavailable for the whole [4].

Pollution is a classic example of a negative externality.

Coase Theorem: Assigning Property Rights to Tackle Externalities

Prior to Ronald H. Coase, who was awarded the Nobel Prize for Economics in 1991, economists were prone to consider corrective government actions as the solutions to externalities. For instance, by setting numerical limits on activities with external effects (Command and Control regulation), placing a subsidy to increase consumption of positive externalities, and internalizing the externalities using price system (Pigouvian tax). However, in his publication “The Problem of Social Cost” in 1960, Coase argues that there is a real danger that such government intervention in the economic system, in fact, leads to the protection of those responsible for harmful effects [5]. Instead, he suggests that the market can potentially solve the problem of externalities by itself if property rights are complete and parties can negotiate costlessly.

“We may speak of a person owning land and using it as a factor of production but what the land-owner in fact possesses is the right to carry out a circumscribed list of actions.”

— — C., Ronald (1960). The Problem of Social Cost.

To see how this economic theory can be applied to a real-world problem, let’s take a quick look into the Cap-and-Trade system.

Cap-and-Trade: A real-world application of Coase Theorem

Facing the global challenge of climate change, the European Union created the world’s first international Emission Trading System (ETS) in 2005 with the goal to reduce greenhouse gas emissions. The EU ETS works on a Cap-and-Trade principle — — A cap is set on the total amount of certain greenhouse gases that can be emitted by installations in the system. The cap is reduced over time so that total emissions fall. Within the cap, companies can receive or buy emission allowances which they can trade with one another as needed [6]. In other words, the cap to some extent represents the right to emit certain greenhouse gases, whereas the trading reflects the negotiations Coase argues that can lead to more efficient market allocation.

“Trading brings flexibility that ensures emissions are cut where it costs least to do so. A robust carbon price also promotes investment in clean, low-carbon technologies.”

— The European Commission

According to the EU, the ETS has shown good results as the cap on emissions from power stations and other fixed installations is reduced by 1.74% every year between 2013 -2020 [7], and the emissions are estimated to be 43% lower than in 2005 by 2030 [8].

Coase Theorem in the World of Data Breaches

Living at the age of big data, data breaches have become increasingly common in our daily lives. According to the Identity Theft Resource Center, the number of significant breaches at US businesses, government agencies, and other organizations reached 1300 in 2017, compared to less than 200 in 2005 [9]. This increase is partly due to the fact that the world’s volume of data has grown exponentially over the past decade, giving cybercriminals a greater opportunity to expose massive volumes of data in a single breach [10].

Although it is normally defined as an “incident” where information is stolen or taken from a system without the knowledge or authorization of the system’s owner [11], I suggest viewing data breach (especially those ones involving personal information) as a modern form of negative externality. It is because when the data that institutions captured from individuals to run their business get breached, individuals get spillover effects in terms of privacy and financial loss. Yet, the liabilities of such harm are not clearly defined and therefore taken into account within the market mechanism.

“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”

— Google Official Statement disclosing the data leak affecting up to 500,000 accounts [12].

Take Facebook’s security breach in September 2018 as an example. 30 million people (more than the whole population of Australia) had their names and contact details leaked, and within which 14 million of them further had their sensitive information (include gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, education, work etc) exposed to the attackers [13]. With the significant harm that this “incident” brought to people’s privacy, what Facebook did was apologizing, saying that it was “a breach of trust” and that they “promise to do better” for the users [14]. Yet no matter how sincere those apologies might be, they cannot and will not solve the core of the problem.

Data breaches cause great harm to society as well as individuals. However, such negative externalities are not well captured and reflected in the market.

It is, however, not to suggest solving data breaches with one-fits-for-all governmental regulations. Because according to Coase, we need to recognize the reciprocal nature of the problem. That is, a data breach cannot happen without Facebook failing to secure its data, but at the same time, it also cannot take place without the users willingly inputting data to the platform. So what is missing here, based on the Coase Theorem, is the clear definition of the rights to data.

In the World of Data where Property Rights are defined and defended

Based on Coase Theorem, the property rights to data, in fact, refer to the rights to carry out a circumscribed list of actions. A couple of examples of actions shall include:

  • Right to control access to one’s data
  • Right to monetize one’s data
  • Right to donate/give away one’s data
  • Right to defend the privacy of one’s data
  • …….

When the above rights to data are clearly defined, individuals are empowered to have legal recourse and bargaining power against a “data breach incident” that inflicts their rights. In the case of Facebook, for example, users will be able to confront Facebook in court for its failure to defend the user’s data privacy and use the data only for the permitted purpose (intentionally or not). Or even before the outbreak of a data breach, which seems inevitable for centralized data storage, users can already negotiate terms with Facebook for the potential risks that Facebook exposes them to. Facing such confrontation and consequences, Facebook will be forced to better capture the costs and risks it bears when storing/utilizing its users’ data. This might lead to a change of business model for Facebook or a new user-platform relationship where Facebook openly compensates users for the risks they are exposed to.

In short, as argued by Coase, once the rights to data are clarified, parties can openly negotiate terms and compensations resulted from the negative externalities — just like how we do with greenhouse gases — and therefore lead to better market equilibrium.

Baby step at a time to tackle market failures in the world of data

The Facebook data breach is not the first of its kind, and unfortunately will not be the last. In fact, it is estimated that data breaches will just become more frequent, bigger and more expensive in the near future. Therefore, although Coase Theorem, similar to all economic theories, has its limitations with real-world applications, it still sheds lights on how defining the rights to data can be the first step toward solving digital world negative externality such as data breach and enabling a better-functioned market mechanism in the long-term.

References

[1] The New York Times (Sep 2018). Facebook Security Breach Exposes Accounts of 50 Million Users. Available at: https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html

[2] Quickonomics. Positive Externalities vs Negative Externalities. Available at: https://quickonomics.com/positive-externalities-vs-negative-externalities/

[3] Intelligent Economist. Introduction to externalities. Available at: https://www.intelligenteconomist.com/externalities/

[4] Investopedia. Tragedy Of The Commons. Available at: https://www.investopedia.com/terms/t/tragedy-of-the-commons.asp

[5] C., Ronald (1960). The Problem of Social Cost.

[6] European Commission. EU Emissions Trading System (EU ETS). Available at: https://ec.europa.eu/clima/policies/ets_en

[7] European Commission. EU Emissions Trading System (EU ETS). Available at: https://ec.europa.eu/clima/sites/clima/files/factsheet_ets_en.pdf

[8] European Commission. EU Emissions Trading System (EU ETS). Available at: https://ec.europa.eu/clima/policies/ets_en

[9] Priceonomics. Why Security Breaches Just Keep Getting Bigger and More Expensive. Available at: https://priceonomics.com/why-security-breaches-just-keep-getting-bigger-and/

[10] Digital Guardian (Jan 2019). The History of Data Breaches. Available at: https://digitalguardian.com/blog/history-data-breaches

[11] Trend Micro. Data Breach. Available at: http://www.trendmicro.tw/vinfo/us/security/definition/data-breach

[12] Google (Oct 2018). Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+. Available at: https://www.blog.google/technology/safety-security/project-strobe/

[13] Facebook Newsroom (Oct 2018), An Update on the Security Issue. Available at: https://newsroom.fb.com/news/2018/10/update-on-security-issue/

[14] The Verge (Mar 2018). Mark Zuckerberg apologizes for Facebook’s data privacy scandal in full-page newspaper ads. Available at: https://www.theverge.com/2018/3/25/17161398/facebook-mark-zuckerberg-apology-cambridge-analytica-full-page-newspapers-ads

By Hsiang-Yun L. on February 26, 2019.