Selling Healthcare Data

Blog post by Colin Hung.

Last week, news broke that GlaxoSmithKline (GSK), the British drug giant, was investing $300 Million USD in 23andMe, the consumer genetics company best known for helping everyday citizens discover their ancestry. The outcry over the privacy concerns of this arrangement was instantaneous. Yet in the age of social media where we voluntarily put information out on the web, should this still be a concern?

I believe we should be concerned when a company:

  1. Is not transparent about what is being shared
  2. Hides the nature of the relationship (monetary compensation)
  3. Does not give consumers/patients a choice to participate

In the case of 23andMe and GSK they check 2 out of the 3 boxes. Here are some excerpts from the press release:

  • “Together, GSK and 23andMe will focus on translating genetic and phenotypic data into R&D activities that will support identification of patient subgroups that are more likely to respond to targeted treatments.”
  • “Under the terms of the deal, GSK and 23andMe have entered into a four-year collaboration with the option to extend for a fifth year under which GSK will become 23andMe’s exclusive collaborator for drug target discovery programmes.”
  • “The companies will use 23andMe’s rich database and proprietary statistical analytics to fuel drug target discovery, with the goal of jointly discovering novel targets that can progress into development.”
  • “All activities within the collaboration will initially be co-funded (50%/50%)”
  • “Additionally, GSK has made a $300M equity investment in 23andMe.”
  • “23andMe customers are in control of their data. Participating in 23andMe’s research is always voluntary and requires customers to affirmatively consent to participate. For those who do consent, their information will be de-identified, so no individual will be identifiable to GSK.”

Transparency on what is being shared – check. Nature of the relationship between the two companies – check. Giving patients a choice to participate – fail. You can see from the last line that 23andMe customers can opt out of having their personal information shared, but the company will still share the genetic data in a de-identified manner with GSK. In effect, customers cannot opt out of the program to share data with GSK.

In his Scientific American article, Adam Tanner provides a revealing look at how health data is boxed up and sold – often without the knowledge of patients or the physicians collecting it. He singles out health data juggernaut IMS Health (rebranded as IQVIA):

Three quarters of all retail pharmacies in the U.S. send some portion of their electronic records to IMS. All told, the company says it has assembled half a billion dossiers on individual patients from the U.S. to Australia. IMS and other data brokers are not restricted by medical privacy rules in the U.S., because their records are designed to be anonymous—containing only year of birth, gender, partial zip code and doctor’s name. The Health Insurance Portability and Accountability Act (HIPAA) of 1996, for instance, governs only the transfer of medical information that is tied directly to an individual’s identity.

It is not difficult, however, to use the year of birth, gender and partial zip code to reverse engineer the individual in question. Tanner cites this example from back in 1997:

Harvard University professor, Latanya Sweeney used such methods when she was a graduate student at the Massachusetts Institute of Technology in 1997 to identify then Massachusetts governor William Weld in publicly available hospital records. All she had to do was compare the supposedly anonymous hospital data about state employees to voter registration rolls for the city of Cambridge, where she knew the governor lived. Soon she was able to zero in on certain records based on age and gender that could have only belonged to Weld and that detailed a recent visit he made to a hospital, including his diagnosis and the prescriptions he took home with him.

To me, 23andMe took the lazy option. Instead of putting resources behind a marketing campaign to convince customers to sign up for sharing their genetic data (by talking about the benefits or sharing some of the profits) they exercised their right (according to their end user agreement) to do what they please with the collected data.

I do credit 23andMe with being transparent about the nature of the relationship and with what is being shared. That’s a lot more than Pharmacy2U did when it sold details on more than 20,000 of its customers without their consent to marketing companies. The company advertised that 100,000 customer details were for sale at a cost of around $250 USD for 1,000 records. The data available included information on a range of conditions like asthma, Parkinson’s disease and erectile dysfunction. The company was fined £130,000 by the Information Commissioners Office in the UK.

In the US, cloud-based EHR company PracticeFusion (acquired by Allscripts), was cited by the Federal Trade Commission (FTC) in 2016 for using patient data for marketing purposes without consent or knowledge of the physicians who were treating them. #HCLDR friend, John Lynn broke the story in 2013 and wrote an excellent blog on the lessons learned from the FTC settlement.

PracticeFusion emailed patients without the physician’s knowledge asking them to write reviews about their experience. They then posted those reviews on a public review site they had created – without telling anyone. The reviews contained personally identifiable information and intimate details about patient conditions – because patients believed their reviews would be shared privately with their physician or would be de-identified. You can read more about it in this Forbes piece.

To be fair, 23andMe has not broken the law or run afoul of a federal guideline like PracticeFusion and Pharmacy2U did. But in the court of public opinion, 23andMe, like those other two companies, has betrayed the trust given to them by its customers.

This week on #hcldr I want to explore this notion of selling customer and patient data. Does it matter what information is being shared? Does it matter why? Would our opinions change if the company shared the proceeds with its customers? What if this was the only way for the company to make enough money to sustain itself?

Please join me Tuesday July 31st at 8:30pm ET (for your local time click here) for a discussion on selling data in healthcare:

  • T1 Are you comfortable with 23andMe selling de-identified genetic information to GSK for research purposes? Why or why not?
  • T2 Does it matter if someone voluntarily gives their information to a company (ie: 23andMe) vs involuntarily (ie: in your doctor’s EHR) and then having it sold?
  • T3 If a company asks each patient for permission to sell their data does it make it okay in your mind? Or does the company have to go further (ie: split the proceeds)?
  • T4 Which company or organization would you be most upset with if they sold your data without telling you?


Tanner, Adam. “How Data Brokers Make Money Off Your Medical Records”, Scientific American, 1 February 2016,, accessed 28 July 2018

Andalo, Debbie. “Pharmacy2U fined £130,000 for selling patient data”, The Pharmaceutical Journal, 21 October 2015,, accessed 28 July 2018

Ducharme, Jamie. “A Major Drug Company Now Has Access to 23andMe’s Genetic Data. Should You Be Concerned?”, Time, 26 July 2018,, accessed 29 July 2018

Fenton, Siobhan. “NHS Shares Medical Records Of 1.6 Million Patients With Google As Part Of Data-Sharing Agreement”, Independent, 3 May 2016,, accessed 28 July 2018

Peel, Deborah C MD.  “Attention doctors and vendors: Selling patient data without informed consent is now a federal crime”, Healthcare IT News, 13 May 2010,, accessed 28 July 2018

Andiotis, George. “Healthcare’s $3 trillion question: Should the likes of Google and Facebook control this data?”, ZDNet, 6 April 2018,, accessed 28 July 2018

Unity Health Score. “The Price of Medical Data”, Medium, 17 July 2018,, accessed 28 July 2018

Fisher, Nicole. “Your Health Records Don’t Belong To You. It’s Time You Demand Them!”, Forbes, 27 November 2017,, accessed 28 July 2018

Lynn, John. “Lessons Learned from Practice Fusion’s FTC Charges and Settlement”, EMR & HIPAA, 21 July 2016,, accessed 28 July 2018

Pinsker, Beth. “Are Drug Companies Using Your Health Records to Sell You Stuff?”, Reuters, 8 January 2014,, accessed 28 July 2018

Tirrell, Meg. “GlaxoSmithKline Strikes $300 Million Deal with 23andMe For Genetics-Driven Drug Research”, CNBC, 25 July 2018,, accessed 28 July 2018

Zhou, Marrian. “23andMe DNA results to be used by Glaxo for new drug research”, CNET, 26 July 2018,, accessed 28 July 2018

Kroft, Steve. “The Data Brokers: Selling Your Personal Information”, CBS News, 9 March 2014,, accessed 28 July 2018

Zetter, Kim. “Medical Records: Stored in the Cloud, Sold on the Open Market”, Wired, 19 October 2009,, accessed 28 July 2018

Image Credit

[201] SALE – Rob Brewer

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: