Anthem Hack Exposes Privacy Failings At Health Information Exchange Created By Health Insurers

Press Release | Consumer Watchdog | February 5, 2015

Consumers Must Have Right To Choose Whether To Participate In Cal INDEX Data Exchange, Say Privacy Advocates

Santa Monica, CA – The day after Anthem Blue Cross revealed that millions of customers’ information had been hacked, Consumer Watchdog and Patient Privacy Rights called on Cal INDEX, the health information database created by Anthem and Blue Shield of California, to allow consumers to opt-in rather than force them to opt-out.

“The Anthem hack makes clear that no company can guarantee their customers’ information will be protected. Without that guarantee, consumers must have the ability to prevent their information from being shared before it occurs,” wrote Carmen Balber, Executive Director of Consumer Watchdog and Deborah C. Peel, MD, Founder and Chair of Patient Privacy Rights in a letter to the CEO of Cal INDEX.

“By collecting millions of Californians’ private medical information in a database that could become one-stop-shopping for medical information hackers, Cal INDEX, Anthem and Blue Shield have placed all of their customers’ data at risk without their consent.”

Read the letter: http://www.consumerwatchdog.org/resources/ltcalindex020515.pdf

When Anthem Blue Cross and Blue Shield of California announced they had begun giving patient claims data to Cal INDEX, Consumer Watchdog called for a boycott of the database until privacy questions were addressed. With many of those questions answered, Cal INDEX’s privacy policies continue to leave consumers’ information at risk, the advocates wrote:

  1. Consumers still do not have a real right to opt out. Although you agree to not share the information of a consumer who opts out, you intend to continue collecting and entering that person’s information into the database, and consumers will not have a right to delete that information.
  2. Cal INDEX does not plan to give consumers access to their entire record until a patient portal is developed at some unidentified time in the future. This places patient health at risk by increasing the likelihood that a medical provider relies on a file that is incorrect.

“These failings make it impossible for consumers to be certain their personal health information will be protected at Cal INDEX.”

The letter continued: “Furthermore, serious loopholes remain in the rules about who Cal INDEX will share patient information with – including a broad exception for “research” that we continue to investigate. Without a definition of research, this allowance appears open to serious abuse.”

The letter concluded:

“Consumer Watchdog and Patient Privacy Rights are always suspicious when health insurance companies create programs they say are for consumers’ benefit, yet make participation mandatory. Health information exchanges that give consumers control of their own information can offer real benefits for patients’ health, but Anthem and Blue Shield presumptively signed up their customers for Cal INDEX before adequate protections were in place.

“Particularly in light of the Anthem hack, we urge you to stop collecting patient data until every customer of Anthem and Blue Shield can choose whether to opt in, and until you correct the defects in your privacy policies that leave consumers’ information unprotected. Then, make the case to consumers that the Cal INDEX health information exchange will improve patient health, and allow us to choose for ourselves.”

Contact:
Carmen Balber, Consumer Watchdog; and Deborah C. Peel, MD, Patient Privacy Rights