(Bloomberg) — Wendy Schobert got a sinking feeling in her stomach the day a local health clinic showed up at her office to collect detailed medical information on her and her co-workers as part of the company’s new wellness program.
If she didn’t participate she’d have to pay the full cost of her insurance — $5,000 a year. Even so, Schobert said she feared her health data wouldn’t be kept confidential, so she accepted the extra insurance cost and opted out.
“There is nothing I was hiding about my health other than that it is none of your business,” said Schobert, who filed a complaint against her former employer, Orion Energy Systems Inc., with the U.S. Equal Employment Opportunity Commission (EEOC). “My health information is between myself and my doctor.”
Schobert’s fears are well founded, security analysts say. The recent hack of Sony Corp. — in which health information on more than three dozen employees was stolen from the company’s servers — is highlighting the amount of medical data proliferating outside of doctor’s offices in electronic form, and how vulnerable the records are to theft. Corporate wellness programs have become one of the biggest areas where health data is being collected, with hundreds of vendors amassing millions of pieces of intimate and potentially embarrassing health information on American workers.
“Thirty years ago, our medical records were in a file cabinet behind a door and they were harder to get to,” said Geoff Hancock, chief executive officer at Advanced Cybersecurity Group, who works with employers to protect their health data and other sensitive information from hackers. He was speaking about the industry in general. “Now it’s zeros and ones. So many more people have access and can take it and make money off it or manipulate it or use it to find out who you are and what you are about. It is one of the biggest holes in the cybersecurity infrastructure.”
About 80 percent of large employers are running wellness programs that ask workers to share detailed health information on themselves, and about a third of them require employees to pay additional costs of as much as $1,600 a year for not participating, according to benefits consultant Towers Watson. The data collected can get quite personal, based on interviews with wellness vendors and questionnaires reviewed by Bloomberg News: Do you ever drink and drive? Are you sexually active? What diseases have you been diagnosed with? Are you experiencing stress at home?
Employers and the outside vendors they hire to gather wellness data say the information is kept confidential, often under the same standards that health insurance companies and doctors must follow for storing private health information.
$6 billion industry
Now U.S. regulators have begun challenging the legality of some programs that require additional costs or eliminate discounts for employees who don’t share their information, and employees are pushing back over fears their medical information could be used to discriminate against them or fall into the hands of hackers.
As health-insurance costs have climbed, companies have turned to outside vendors that promise to identify employees most likely to have high medical bills and offer tips and coaching to help them improve their health. That’s created a $6 billion industry with hundreds of companies devoted to offering wellness programs, according to a study by Rand Corp. To identify those high-risk employees, wellness companies say they have to conduct health screenings of a client’s entire workforce.
Employers that use wellness programs say they never see an individual’s health information, which is typically stored with an outside vendor or health-insurance company and protected by the Health Insurance Portability and Accountability Act (HIPAA). Instead, they get aggregated data to help them better understand the health needs of their workforce for planning purposes, said Gretchen Young, a senior vice president of health policy at the ERISA Industry Committee, which lobbies on behalf of the benefits interests of major corporations.
There hasn’t been a major hack of a wellness program’s health information, though breaches of other types of health information have occurred. Since 2009, there have been 1,187 incidents where health information protected by HIPAA was hacked, improperly disclosed, lost or stolen involving more than 41 million individuals, according to reports to the U.S. Department of Health and Human Services. Those cases only include instances where more than 500 records were involved. Matters involving fewer records don’t have to be reported.
One wellness company, StayWell Co., had names, birth dates and contact information hacked earlier this year for more than 14,000 of its clients’ employees. StayWell said one of the vendors it uses was infiltrated, and no health or financial information was stolen. Since then, StayWell said, it has taken extra precautions to protect its information, including increasing mandatory training for employees and third-party vendors and implementing stringent audits of its vendors.
To keep user information safe, StayWell said it uses randomly assigned “participant identification numbers” rather than Social Security numbers and doesn’t collect financial information. It also uses software that scans for vulnerabilities, network and server vulnerability testing, regular audits of its data center, and “the most up-to-date security to ensure participants’ data is protected,” the company said in a statement.
“We take security and privacy really, really seriously,” said David Anderson, co-founder of StayWell. “We comply with all the laws around data privacy and security.”
Health information is a valuable target. Hackers can get $50 for a medical chart on the black market, compared with just a few dollars for other pieces of personal information, said Hancock of Advanced Cybersecurity. He said he’s refused to share his health information with wellness programs at past employers because he isn’t convinced the data are safe.
“The technology isn’t that secure, so you’re trusting people not to use it and be responsible. You just can’t count on any of that,” Hancock said. “Unless you can show who has access and prove it is secure, I’m not signing up.”
Despite the popularity of wellness programs among employers and assurances about their security and confidentiality, more than half of workers said they are hesitant about sharing their health information, and a quarter said they wouldn’t share their data under any circumstances, according to a survey by the Economist Intelligence Unit. More than one-quarter of employees said they were concerned their personal information wouldn’t remain confidential.