(Bloomberg) — The clinician called a prospective customer who was applying for health insurance to pose a very direct question: Why had she left the names of several medications she was taking off the application she submitted to Aetna? The clinician rattled off the names of the drugs, the dates they were prescribed, and the doctors who had prescribed them.
The woman insisted the information was wrong. She recounted the story to her mom, looking for advice. The mother was shocked and embarrassed. Those prescriptions were hers, designed to treat medical conditions she'd been hiding from her daughter. The secret was out, and the women were forced into an emotional conversation about the mother's ongoing struggles with her health.
The mother eventually filed a complaint with the U.S. Department of Health and Human Services, alleging that Aetna had violated her privacy. A government investigation uncovered the cause of the error: The women's medical records had been mixed up in a database maintained by a supplier to the second-largest U.S. health insurance company.
Bloomberg obtained a copy of the HHS investigation, along with nearly a dozen other cases, through a public information request. The details offer a rare look at how the health care industry's growing reliance on data mining can go awry.
Aetna blamed the mistake on Milliman, a data supplier. In its explanation to the government, Aetna said Milliman described the inaccurate linking of medications as a "very infrequent occurrence" that sometimes happens when pharmacies make mistakes in coding. Jeremy Engdahl-Johnson, a spokesman for Milliman, declined to comment, citing "a longstanding policy not to comment on our work for clients."
Aetna says it no longer uses Milliman's IntelliScript data service or other prescription information for determining an individual's eligibility for insurance, a practice phased out across the health insurance industry as part of President Barack Obama's health care overhaul. Aetna says the company does use prescription databases for setting group rates and assessing risk.
Government documents show that Aetna hired RSA Medical to call patients about discrepancies between IntelliScript results and what patients had disclosed in their applications. The RSA Medical representative who called the daughter did not know or disclose that the medications belonged to the applicant's mother. RSA Medical says it complies with all privacy laws.
Aetna told HHS that the mother and daughter figured out the link on their own. For this reason, the HHS investigation concluded that no privacy rule was broken. In addition, Aetna and Milliman had a business associate agreement that allowed them to share data on applicants, HHS said. HHS's Office for Civil Rights closed the Aetna case without finding any wrongdoing.
Medical data is legally shared with more third parties than many Americans realize, said Ifeoma Ajunwa, an assistant professor of law at the University of the District of Columbia. Sensitive information about a patient's prescriptions and conditions can bounce from one company to the next as part of routine billing or administrative processes. "A major concern with prescription databases is that they provide ample opportunities for invasions of privacy," Ajunwa said. They are also prone to mistakes.
While the mother-daughter mix-up occurred in 2008, insurance companies' appetite for patient information has increased substantially since then. The medical-data industry is projected to surpass $10 billion by 2020, according to McKinsey & Co. A major driver of that growth is Obamacare. The Affordable Care Act made it illegal for health insurers to reject applicants based on preexisting conditions, but they still use prescription data to set group rates, identify high-risk patients, and decide on corporate budgets. Life insurance companies remain free to use the data to turn away sick people and set higher premiums.
Obamacare penalizes health care providers that don't shift to electronic records, and it funds statewide exchanges to share the records. The goal is that digitization will eventually allow patient information to quickly synchronize between pharmacies, doctors' offices, hospitals, and data suppliers, so that a person who normally picks up a medication in San Francisco could get the needed drug if she were to become comatose in a Los Angeles emergency room.
However, the emergence of shared medical records makes errors all the more dangerous because they can propagate more easily between providers. Bloomberg reported in 2013 on an 84- year-old woman whose family blames her death at an Abington, Penn., hospital on problems with her electronic health record, which inexplicably dropped a critical heart medication after she was admitted. Scot Silverstein, the woman's son, filed a lawsuit against Abington Memorial Hospital, which is still pending. The hospital, which is fighting the allegations, declined to comment.