Artificial intelligence could identify you and your health history from your step tracker
Manufacturers say data stripped of identifying information is no privacy risk. But we found AI can overcome that. Time to update health privacy laws.
Recent revelations about how social media giants misuse our personal data for profit have elevated the issue of privacy among Americans, but what if this data also included our personal health records? Every day, millions of Americans use Fitbits and other personal activity trackers, often at the prompting of employers who provide incentives to wear the devices.
But as these individuals’ data profiles are shared — with their companies, as well as with health care providers that oversee corporate wellness programs — there is significant risk that the data could later be used to identify who they are and link their identities to detailed medical profiles that can be bought by companies, researchers, or anyone else.
Activity-tracking device manufacturers have long maintained that sharing data stripped of identifying information poses no privacy risks. But with funding from the University of California-Berkeley Center for Long-Term Cybersecurity, we demonstrated that by using artificial intelligence, it is possible to identify individuals by learning daily patterns in footstep data (like that collected by activity trackers, smart watches and smart phones) and correlating it to demographic data. This information could, in theory, also be used to match individuals with medical records that are widely shared for research purposes.
Read more commentary:
I loved Facebook. After 12 years of daily use, here's why I'm unfriending it for good.
Russia isn't out to decide our elections, they want to divide us and damage our country
I deleted my Twitter account. It's a breeding ground for thoughtlessness and contempt.
Imagine a woman who is asked by her employer to participate in a wellness program in exchange for a discount on her health insurance premiums. The program requires her to carry a FitBit, which tracks how many steps she walks per day. This data is periodically sent to both her employer and her Accountable Care Organization, which has a database that includes the woman’s demographic data and her complete health records.
If the ACO later releases the woman’s medical profiles as part of an anonymized data set (a common practice), the recipients of that data could, in theory, use artificial intelligence to match the woman’s activity profile to medical records, potentially revealing whether she is, for example, sick or pregnant. That’s information that her employer could potentially use as the basis for termination.
Law on sharing health data is 20 years old
To fix this loophole, policymakers need to update the Health Insurance Portability and Accountability Act, which was passed in 1996 to govern how health data can be shared. HIPAA currently allows sharing of health data as long as patient identities cannot be deduced. However, HIPAA was enacted more than 20 years ago — long before our modern era of artificial intelligence.
This law should now be reconsidered in light of all the potential ways that a new generation of artificial intelligence algorithms can determine individuals’ personal identities from supposedly “anonymized” health data. Our study focused on step data, but artificial intelligence could be used to link a variety of health data sources under the current rules.
Artificial intelligence: a new threat on our privacy
HIPAA should also be expanded to apply to organizations that obtain health data, including data clearinghouses and tech companies that purchase anonymized data from health companies. A company that purchases health data and uses AI to determine patient identities may be tempted to use such information to send targeted advertisements or even sell the data to other companies. Meanwhile, requiring companies that originally share the medical data to aggregate patient data could also help protect individuals’ identities from being discovered.
Artificial intelligence is advancing so rapidly that regulations under laws like HIPAA — once considered to provide strong protections to patients — need to be updated now that data can be aggregated and analyzed through artificial intelligence. Research has shown that it is possible to identify individuals based on data about their past behaviors — including their online searches and movie reviews. In the future, without strong protections for consumers, it may become impossible for individuals who do anything online to escape the data dragnet.
Anil Aswani is an assistant professor in Industrial Engineering and Operations Research at the University of California-Berkeley. Yoshimi Fukuoka is a professor in the School of Nursing at the University of California-San Francisco.
