EU plans allow Big Tech to exploit your medical records, without permission
The EHDS would make physicians and other medical professionals complicit in the forced commercialisation and monetisation of every aspect of your health without ever asking for your consent. It would destroy the Hippocratic oath of confidentiality by which every medical professional is supposed to be bound.
In May 2022, the European Commission proposed the European Health Data Space (EHDS) in an attempt to improve the ways in which people’s sensitive medical data is made available for various kinds of uses.
That includes the ability for hospitals and physicians to share information about current patients with expert colleagues abroad. For example, it’s supposed to make it easier for a GP in Sweden to receive a digital copy of their Romanian patient’s CT scan results from the radiologist in Romania in order to continue treatment.
The EHDS also proposes to legally compel hospitals or physicians to hand out your medical records to a newly created government agency, which in turn, can allow access to anyone who claims a research interest. That includes not only academics but also pharmaceutical companies, wellness app startups and even data harvesting Big Tech corporations like Google and Facebook.
Your medical records include details of physical, mental and sexual health, drug and alcohol history, and any family and work-related problems that you thought you’d disclosed in confidence to your physician only. What’s worse is that the information in medical records is almost impossible to effectively anonymise, meaning it’s relatively easily identifiable as yours.
That is why 75 percent of Europeans said in a recent Ipsos poll that they are only willing to grant researchers access to their medical records if they have been asked for their explicit consent, and that’s what the EHDS should require.
Big Tech is on the move
Without such a consent requirement, Google, for instance, could obtain access to the details of your cancer treatment or the results of your last psychotherapy session to train its new AI for some well-being app. And the outcome of that might feed into the company’s advertising business.
If you don’t like that, you are in bad luck: the EHDS does not foresee patients being asked for their permission; it does not even include a right to object to this kind of excessive data sharing.
Your medical records contain information about all aspects of your life. From the moment you were born, through childhood, puberty, and every sick leave, mental challenge, and other health issues you ever had. You should be the one in control of it.
More than a dozen organisations representing patients, medical professionals, persons with disabilities, consumer and digital rights organisations, as well as workers and trade unions have written to members of the EU Parliament, urging them to introduce the consent requirement in the health data proposal. This is crucial for protecting patients’ rights and ensuring that they have control over the use of their private medical records.
Bye bye Hippocratic oath
The EHDS would make physicians and other medical professionals complicit in the forced commercialisation and monetisation of every aspect of your health without ever asking for your consent. It would destroy the Hippocratic oath of confidentiality by which every medical professional is supposed to be bound.
The global tech industry is only waiting for the opportunity to get their hands on Europeans’ medical data. Apple already has an extensive “digital health” offer and, in 2020, Google paid over $2bn [€1.82bn] to acquire health device maker Fitbit in an attempt to enter the health data market.
Google’s acquisition of Fitbit demonstrates the huge monetary value health data has, even to companies who do not contribute to public interest medical research, and why it should never be shared with third parties without your consent.
Not forgetting governments and cyber-criminals
Your medical records are not only of interest to corporations. Once stored in central, state-run data centres as the EHDS proposes, they could just as well be misused by your own government.
In January 2023, Polish police raided a private gynaecologist office in the city of Szczecin. The prosecutor claimed that “criminal acts” had been conducted in the form of medical abortions requested by patients. Poland has a de facto ban on abortion. During the raid, medical records dating back as far as 1996 were confiscated.
Just imagine how easy it would be for the Polish government to persecute any woman whose medical records contain the slightest indication that she might consider seeking an abortion, if everybody’s medical data was held in a central database run by that same government.
And there is more: forcing the medical records of millions of people into a centralised database creates an incredibly attractive target for malicious hackers around the world.
With this kind of intimate information, common criminals can extort ransom from you by threatening to expose your medical details. Just last year, a criminal ransomware gang broke into the medical database of a healthcare systems provider in the US and started publishing nude pictures of female breast cancer patients on the internet after the provider refused to pay the ransom.
Medical research is incredibly important and often relies on access to such data to develop new medication and advance our understanding of the human body. But whoever wants to do that research must always ask for your permission to use your data first. Ideally, they should be obliged to release their research results back to the public, so that it can be of maximum common value to us all.
EU lawmakers therefore must amend the EHDS in that sense, so that we can continue to entrust our physicians with the most intimate details of our physical, mental and sexual health.
This article was first published here by EUobserver.
Contribution by: Jan Penfrat, Senior Policy Advisor, EDRi & Dr Silke Lüder, Deputy Chair of the Association of Independent Doctors Germany (Freie Ärzteschaft e.V.)