How a complex web of businesses turned private health records from GE into a lucrative portrait of patients

It was supposed to be a routine client meeting. Instead, one of GE Healthcare’s largest customers dropped a bombshell: It had taken data GE considered confidential — millions of patient medical records stripped of identifying information — and linked it to a massive trove of insurance claims, vacuuming up financial details tied to the patients’ medical problems, prescriptions, and doctor’s visits.

The revelations by Quintiles, a global drug research company, set off a cascade of concerns within GE, according to a confidential memo obtained by STAT. Executives worried GE was “at risk of privacy violations” and called for an internal legal review. The unsettling part was how precisely the patients were flagged in another dataset, with near perfect accuracy, the memo said.

Although alarming to GE, how its data was used in the summer of 2015 was far from unusual. Beyond the reach of the nation’s health privacy laws, companies are quietly trafficking in Americans’ health data without their knowledge or consent — part of a broad ecosystem that has only grown more vast in recent years. 

Unlock this article by subscribing to STAT+ and enjoy your first 30 days free!

GET STARTED

Log In