(Bloomberg) — Wendy Schobert got a sinking feeling in her stomach the day a local health clinic showed up at her office to collect detailed medical information on her and her co-workers as part of the company’s new wellness program.
If she didn’t participate she’d have to pay the full cost of her insurance — $5,000 a year. Even so, Schobert said she feared her health data wouldn’t be kept confidential, so she accepted the extra insurance cost and opted out.
“There is nothing I was hiding about my health other than that it is none of your business,” said Schobert, who filed a complaint against her former employer, Orion Energy Systems Inc., with the U.S. Equal Employment Opportunity Commission (EEOC). “My health information is between myself and my doctor.”
Schobert’s fears are well founded, security analysts say. The recent hack of Sony Corp. — in which health information on more than three dozen employees was stolen from the company’s servers — is highlighting the amount of medical data proliferating outside of doctor’s offices in electronic form, and how vulnerable the records are to theft. Corporate wellness programs have become one of the biggest areas where health data is being collected, with hundreds of vendors amassing millions of pieces of intimate and potentially embarrassing health information on American workers.
“Thirty years ago, our medical records were in a file cabinet behind a door and they were harder to get to,” said Geoff Hancock, chief executive officer at Advanced Cybersecurity Group, who works with employers to protect their health data and other sensitive information from hackers. He was speaking about the industry in general. “Now it’s zeros and ones. So many more people have access and can take it and make money off it or manipulate it or use it to find out who you are and what you are about. It is one of the biggest holes in the cybersecurity infrastructure.”
About 80 percent of large employers are running wellness programs that ask workers to share detailed health information on themselves, and about a third of them require employees to pay additional costs of as much as $1,600 a year for not participating, according to benefits consultant Towers Watson. The data collected can get quite personal, based on interviews with wellness vendors and questionnaires reviewed by Bloomberg News: Do you ever drink and drive? Are you sexually active? What diseases have you been diagnosed with? Are you experiencing stress at home?
Employers and the outside vendors they hire to gather wellness data say the information is kept confidential, often under the same standards that health insurance companies and doctors must follow for storing private health information.
$6 billion industry
Now U.S. regulators have begun challenging the legality of some programs that require additional costs or eliminate discounts for employees who don’t share their information, and employees are pushing back over fears their medical information could be used to discriminate against them or fall into the hands of hackers.
As health-insurance costs have climbed, companies have turned to outside vendors that promise to identify employees most likely to have high medical bills and offer tips and coaching to help them improve their health. That’s created a $6 billion industry with hundreds of companies devoted to offering wellness programs, according to a study by Rand Corp. To identify those high-risk employees, wellness companies say they have to conduct health screenings of a client’s entire workforce.
Employers that use wellness programs say they never see an individual’s health information, which is typically stored with an outside vendor or health-insurance company and protected by the Health Insurance Portability and Accountability Act (HIPAA). Instead, they get aggregated data to help them better understand the health needs of their workforce for planning purposes, said Gretchen Young, a senior vice president of health policy at the ERISA Industry Committee, which lobbies on behalf of the benefits interests of major corporations.
There hasn’t been a major hack of a wellness program’s health information, though breaches of other types of health information have occurred. Since 2009, there have been 1,187 incidents where health information protected by HIPAA was hacked, improperly disclosed, lost or stolen involving more than 41 million individuals, according to reports to the U.S. Department of Health and Human Services. Those cases only include instances where more than 500 records were involved. Matters involving fewer records don’t have to be reported.
One wellness company, StayWell Co., had names, birth dates and contact information hacked earlier this year for more than 14,000 of its clients’ employees. StayWell said one of the vendors it uses was infiltrated, and no health or financial information was stolen. Since then, StayWell said, it has taken extra precautions to protect its information, including increasing mandatory training for employees and third-party vendors and implementing stringent audits of its vendors.
To keep user information safe, StayWell said it uses randomly assigned “participant identification numbers” rather than Social Security numbers and doesn’t collect financial information. It also uses software that scans for vulnerabilities, network and server vulnerability testing, regular audits of its data center, and “the most up-to-date security to ensure participants’ data is protected,” the company said in a statement.
“We take security and privacy really, really seriously,” said David Anderson, co-founder of StayWell. “We comply with all the laws around data privacy and security.”
Health information is a valuable target. Hackers can get $50 for a medical chart on the black market, compared with just a few dollars for other pieces of personal information, said Hancock of Advanced Cybersecurity. He said he’s refused to share his health information with wellness programs at past employers because he isn’t convinced the data are safe.
“The technology isn’t that secure, so you’re trusting people not to use it and be responsible. You just can’t count on any of that,” Hancock said. “Unless you can show who has access and prove it is secure, I’m not signing up.”
Despite the popularity of wellness programs among employers and assurances about their security and confidentiality, more than half of workers said they are hesitant about sharing their health information, and a quarter said they wouldn’t share their data under any circumstances, according to a survey by the Economist Intelligence Unit. More than one-quarter of employees said they were concerned their personal information wouldn’t remain confidential.
Schobert said her concerns about the privacy of her medical data cost her more than a hefty insurance premium. When she declined to participate in the wellness program’s health screening, she said management called her into a meeting to “quash any potential attitude of hers,” according to legal filings recounting her experience. A month later, she was fired in retaliation for her decision, the filings said. She was out of work for more than a year.
The EEOC sued Orion on her behalf in August, alleging the company violated federal law by requiring its employees to disclose health information that wasn’t job-related and firing Schobert when she objected.
Orion denies it fired Schobert because she didn’t participate in the wellness program, according to a legal filing. The company didn’t say in its legal filings why Schobert was fired.
In addition to a health survey, 76 percent of companies with more than 1,000 employees ask workers to give a blood sample to test for certain conditions, like high cholesterol or blood sugar, according to Towers Watson. At Honeywell International Inc., employees’ blood is tested for the presence of nicotine, high cholesterol and irregular blood sugar, and their height and weight are recorded. Honeywell also asks employees’ spouses to disclose such information if they are on the company’s insurance plan.
At pharmacy chain CVS Health Corp., employees were asked on a health questionnaire whether they drink and are sexually active, according to legal filings by a cashier suing the company over its program. CVS said in a statement that it has since removed those questions based on feedback from employees.
Johnson & Johnson’s wellness program, which is run by a third-party vendor, asks questions about employees’ moods, stress at work and home, and job demands in addition to collecting data on their height, weight and eating and exercising habits, said Fik Isaac, J&J’s vice president of global health services.
Some of J&J’s wellness records are stored outside of the company.
“We conduct regular auditing of our partners and service providers to ensure their systems are secure and protect the privacy and information of our employees,” J&J said in a statement. “Johnson & Johnson adopts and enforces very strict policies and controls related to access to health information and ensures privacy protection in each and every process and program dealing with such information.”
Declining to participate in wellness programs can be expensive. J&J employees who don’t take part are ineligible for a $500 discount on health insurance, and CVS makes workers pay $600 more a year in insurance costs. Honeywell imposes a $500 surcharge on employees and their spouses, and employees who don’t participate miss out on as much as $1,500 deposited in their health savings accounts.
The EEOC asked a U.S. district judge in October for a temporary restraining order preventing Honeywell from imposing additional costs on employees who didn’t participate. In the EEOC’s motion, it argued that the medical testing isn’t considered voluntary, making it a violation of the Americans with Disabilities Act. While a judge denied that request, the agency said it continues to investigate complaints filed by Honeywell employees. The EEOC is handling most of its lawsuits over wellness programs from its Chicago office.
“Employers certainly may have voluntary wellness programs — there’s no dispute about that — and many see such programs as a positive development,” said John Hendrickson, regional attorney for the EEOC Chicago district, in a statement. “But they have to actually be voluntary. They can’t compel participation by imposing enormous penalties such as shifting 100 percent of the premium cost for health benefits onto the back of the employee or by just firing the employee who chooses not to participate.”
Honeywell never sees the results of the blood screening, which is stored with a third-party wellness vendor, and all the information is protected by federal privacy laws, said Kevin Covert, Honeywell’s deputy general counsel for human resources. The company started imposing a surcharge on those who didn’t take part so more workers would share their information; participation went from 36 percent when the company just paid a bonus to more than 75 percent once workers not participating had to pay more in health costs, said Covert.
“I understand there is a certain element that believes this is a Big Brother type of thing, but the law is very clear on what we can and can’t do and what we can and can’t see, and we follow the law very scrupulously,” Covert said.
Adding a financial incentive also got employees at J&J to undergo a health screening. Before the company started giving a $500 a year discount on insurance premiums, participation in its wellness program was about 25 percent. It’s now at 80 percent.
Wellness programs benefit companies’ bottom lines through reductions in missed days of work and more productive workers, said Young, of the Erisa Industry Committee.
“Employers have wellness programs because employees like it, they are healthier, and it has a positive effect on absenteeism rates and has helped employers with their bottom lines,” Young said. “They wouldn’t do it unless they felt it was worth the money.”