When Robertson contacted subjects for comments for his story, they were astounded, and sometimes angry, that he knew their medical diagnoses and treatments from those hospitalizations, and that the system could be used in such a fashion.
"The data has a lot of value in the wrong hands, and we've chosen to publicize this, because we're trying to draw attention to it," Robertson says. "This could have been done just as easily by a private investigator or by a short-seller, if they had the wherewithal and the means to do it."
It dawned on me that while providers may do everything they're supposed to do to abide by HIPAA, loopholes like this state public health exemption, renders information accessible. And once it's on the Internet, data can live forever.
States may be lulled out of their inaction by Robertson's story. Already, Washington state has told Robertson it intends to tighten its data standards. Unless the entity requesting the information is truly a public health agency, the state will likely charge steeper fees to access the data. Already, the state of Pennsylvania, seeing increased demand from commercial data companies, increased the cost of the data sets.
But Robertson noted that the uses of secondary health data, including for marketing purposes, is projected to be in a $10 billion industry by 2020. So how likely is it that commercial interests will let higher fees slow them down?