Why health data sharing is leaving patients exposed
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
The push to make medical records easier to share could be opening the door for rogue companies to sell patient information to law firms and other businesses without their knowledge.
Why it matters: Americans assume their medical records are only seen by doctors, nurses and others involved in their care.
- But the rapid growth of health tech vendors and data sharing platforms is creating security gaps — just as AI is making it easier to mine personal medical data.
Driving the news: Electronic health records giant Epic and three health systems are suing software company Health Gorilla for allegedly letting third parties posing as health providers access more than 300,000 medical files on a data-sharing platform.
- One of those companies, GuardDog Telehealth, has admitted as part of a consent agreement that it took records under false pretenses and sold the data to lawyers looking for clients for class-action lawsuits.
- Epic also accused a now-defunct provider called SelfRx of fraudulently pulling more than 100,000 patient records. It dropped the charges last week after SelfRx's founder made a sworn declaration that it actually obtained fewer than 100 and couldn't explain who took the others.
Between the lines: The case is showing how long-running efforts to allow patient records to flow more freely across the health system remain a work in progress.
- Leading health and tech companies have spent years and vast sums trying to come up with a framework that can link different record systems and reduce inefficiencies, medical errors and waste.
- But it can't really work if a company participating in a health data sharing network like SelfRx can't account for requests made in its name.
The central question is how data companies can verify who's requesting data.
- Epic — joined by Reid Health, Trinity Health and UMass Memorial Health — charged that companies would "obscure their true purpose through fictitious websites, shell entities, and sham National Provider Identification (NPI) numbers … to create an illusion of legitimate patient treatment."
- In a statement to Axios, Epic said SelfRx's declaration "raises very serious questions: who used SelfRx's provider credentials to take over 100,000 patient records and where did those records go? This provides further evidence that there is a lack of accountability and oversight."
The other side: Health Gorilla "requires rigorous vetting of all participants and sub-participants, both before onboarding and on an ongoing basis," a spokesperson said in an email response.
- "Health Gorilla continues to vigorously defend against Epic's manufactured and meritless claims in pending litigation," she said.
What's ahead: The health data concerns may become more pressing as AI agents become capable of navigating patient portals and health IT networks.
- Amazon, through its primary care affiliate One Medical, launched a health AI bot capable of pulling a patient's medical history and answering questions about their health, Second Opinion wrote.
- Federal regulators continue to push for more seamless data sharing between providers under interoperability and information blocking rules.
- The question is whether they'll be able to keep bad actors at bay.
