Explained: Why The Feds Are Raiding Tech Companies For Medical Records
When a U.S. government demand for genetic data from Ancestry.com was revealed earlier this week, it caused anxiety around the kinds of access police have to people’s DNA data
But there’s something else that Americans should be paying attention to: the government’s secretive plundering of citizens’ medical histories.
It’s largely flying under the radar of public perception, which is odd, given data doesn’t get much more personal than that found in medical records, whether it’s details on embarrassing or serious illness, or what medications you’re on.
And it seems police raids on medical tech companies may be more frequent and more fruitful than those on the likes of Ancestry.
Who is the government getting medical data from?
I’ve found multiple cases where federal agents have been quietly rummaging through databases of American citizens’ medical histories.
They’re doing so via little-known healthcare tech companies. According to court files I reviewed, the government has found at least one new possible reservoir of medical information: a 10-year-old, successful Sunnyvale, California, startup called DrChrono.
It’s worth close to $50 million, according to Pitchbook, and just last month raised $20 million. DrChrono’s aims to make electronic health records easier for doctors and their practices to manage, placing everything from patient histories and billing information in one place in the cloud. It claims its software manages data on around 17.8 million patients and processed more than $11 billion in medical bills to date.
Sounds useful for the doctors, but it’s also useful for police when they’re investigating a crime in which they want to access medical records. The search warrants I discovered show that when cops come knocking with a valid legal request, DrChrono is happy to hand over data. Lots of data.
How much medical data can they get?
In January last year, DrChrono provided 9.3GB of medical records, amounting to 8,316 files from the Gaby Medical Clinic in Fort Smith, Arkansas.
A screenshot of a search warrant document shows DrChrono providing more than 8,000 files of medical ... [+]
In that case, the Drug Enforcement Administration was investigating two doctors—Donald Hinderliter and Cecil Gaby—over claims they were giving out large quantities of potent drugs like Oxycodone and Xanax. The DEA had heard from witnesses that some patients had suffered fatal overdoses. (Both Hinderliter and Gaby have pleaded guilty to charges of distributing controlled substances and are awaiting sentencing).
In a separate case, in July 2019, DrChrono supplied the government with records related to the Pennsylvania-based practise of Neil Anand. He was being investigated for handing out “goody bags” of drugs to patients who didn’t need or ask for them. He’s since pleaded not guilty to all charges of healthcare fraud and conspiracy to distribute controlled substances.
In a search warrant I uncovered, the investigating agent goes into a little detail about what exactly he was able to determine from DrChrono records:
“I am aware that the medical records contained entries from DrChrono with notes for office visits on September 9, 2018 and July 23, 2018 indicating that Former Employee 2 was Patient 4' s medical provider on these dates.”
It’s clear that even appointment notes are included in its files. Again, that’s incredibly sensitive and revealing data. And in this case it seems the government has acquired data belonging to at least one victim, not a suspect.
Are my medical records being sold without my knowledge?
According to Dr Deborah Peel, founder and president for Patient Privacy Rights, companies like DrChrono can and will aggregate and sell your data. “The data holders now control our health data,” she warns.
Looking at the DrChrono privacy policy, it certainly reserves some rights to sell users’ information, but does say: “We do not rent, sell or share personal information about you with other people or non-affiliated companies for their direct marketing purposes, unless we have your permission.” A closer read indicates it does reserve the right to sell data to affiliated companies, or to anyone for non-direct marketing purposes.
And, it adds, DrChrono can share your information with partners and: “We are not responsible for the privacy practices of the others who will view and use the information you disclose to others.”
Is this happening now?
Yes and it will continue to happen. Investigations using DrChrono data appear to be ongoing.
I put in a freedom of information request with the Department of Health and Human Services’ Office of Inspector General, asking it for any communications it had with DrChrono. That agency is notable for being the largest inspector general's office in the federal government and it’s playing a major role in the fight against opioid epidemic. The agency said it couldn’t provide records, but it noted: “This office has been informed that there is an open and ongoing investigation concerning the subject of your request.”
Neither DrChrono nor its CEO Michael Nusimow had responded to multiple requests for comment.
I found just a small number of requests for medical records for DrChrono and similar businesses. But it’s possible, even likely, there are others and DrChrono’s competitors are most likely being asked to hand over people’s health data too. I discovered one other case where the government wanted to search an account at rival Practice Fusion, though the case files were sealed.
Should you be worried?
If you care about privacy, you should be more concerned about why the government’s looking into your healthcare history than your DNA data. As Dr Peel puts it: “We have no right to health privacy, no right to control our health data in the US.”
First, Ancestry only received one demand for genetics data in 2019 (one which it rebuffed), compared to the two that I found for DrChrono.
Second, unlike Ancestry, the likes of DrChrono don’t have transparency reports that inform people how often governments are telling them to reveal data.
And not only do they have masses of super-sensitive data, these small businesses don’t have the same financial clout to fight broad, invasive government orders as much larger tech companies.
Whilst federal investigators are legitimately looking into serious crimes, ones that contribute to America’s severe opioid crisis, it appears the victims of that particular menace are, perversely, having their privacy invaded alongside pill pushers.
