theDataMap

Documenting all the places
personal data goes.

healthDataMap


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.


Analytics companies receive data from statewide discharge data holders, providers, pharmaceutical companies, equipment manufacturers and health insurance companies and give data to providers, pharmaceutical companies, health insurance companies and equipment manufacturers.

Analytics companies do analysis and data mining to investigate the outcomes of health care practices. They usually operate under a business associates arrangement. This allows HIPAA covered providers and health plans to disclose protected health information to these business associates if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity's duties under the HIPAA Privacy Rule. [source]

Examples

Truven Health Analytics is a private Ann Arbor, Michigan-based company that was formerly Thomson Reuters' health data business. It was acquired by private-equity firm Veritas Capital for $1.25 billion last year. Truven Health Analytics Inc. purchases statewide personal hospital discharge data from at least 11 states: AZ, CA, FL, IL, MD, MA, NJ, NY, PA, TN, WA [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

  

Computer Sciences Corporation had a data breach in 2013, in North Carolina. A thumb drive with information from the Medicare Exclusion Database was placed on a thumb drive. The thumb drive was discovered to be missing from the CSC facilities in Raleigh, North Carolina in early March; it had most likely been lost in late February. The thumb drive contained names, Social Security numbers, federal tax Employer Identification numbers, dates of birth, and other information. [source].

  

Milliman Milliman Inc. is a private Seattle-based actuarial firm that consults with health insurance companies. Sales were $754 million last year. Spokesman Jim Loughman declined to discuss Milliman's use of hospital records, saying the company's data analysis methodology is proprietary. purchases statewide personal hospital discharge data from at least 10 states: AZ, CA, FL, IL, MD, MA, NY, TN, TX, WA [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

  

Impairment Resources, LLC had a data breach in 2012, in California. An office burglary on New Years Eve 2011 resulted in the loss of hardware that contained sensitive personal information. The full names, addresses, Social Security numbers, and medical information of clients were on the hardware. Impairment Resources notified patients in February and then filed for bankruptcy in March. The high cost of handling the breach led directly to the decision to file for bankruptcy. (14000 records involved) [source].

  

Intellimed International is a private Phoenix, Ariz.-based firm whose software helps hospitals analyze patient loyalty to certain physicians, their demographics, and which areas will be beneficial for new facilities. Intellimed International Corp. purchases statewide personal hospital discharge data from at least 7 states: AZ, CA, FL, MD, NY, TX, WA [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

  

Science Applications International Corp. (SAIC) had a data breach in 2007, in California. The Pentagon contractor may have compromised personal information. Information such as names, addresses, birth dates, Social Security numbers and health information about military personnel and their relatives were exposed when the data were not encrypted prior to being transmitted online.UPDATE(5/05/2012): Though 580,000 households were reported, a total of 867,000 people may have been affected. (867,000 records involved) [source].

  

DataBay Resources is a private Warrendale, Penn.-based company whose customers are mainly hospitals that use the data to make decisions such as where to open or close facilities, measure the effectiveness of marketing campaigns, said Executive Director Nicholas Massiello. DataBay Resources purchases statewide personal hospital discharge data from at least 6 states: CA, FL, MA, NY, PA, WA [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

  

TennCare, New Mexico Human Services Department had a data breach in 2010, in Illinois. An employee from a subcontractor company called West Monroe Partners was robbed of a laptop containing information for a Medicaid billing company named DentaQuest. DentaQuest was responsible for dental benefits of the New Mexico Human Services Department and TennCare. Around 21,000 people had their full names and Social Security numbers on the stolen laptop. Approximately 55,000 others had some form of personal information on the laptop. (21,000 records involved) [source].

  

Biomedical Systems Corp had a data breach in 2017, in Missouri. [source]

  

Boeing had a data breach in 2014, in Washington. The information was breached via Network Server. [source]

  

LoopPay had a data breach in 2017, in Massachusetts. Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives. [source]

  

MongoDB had a data breach in 2017, in New York. [source]

  

Taconic Biosciences Inc. had a data breach in 2017, in New York. Name, address, ssn, and w2 tax info were breached. [source]

  

TIC Gums Inc. had a data breach in 2017, in Maryland. Name, addresses, ssn, w2 tax information compromised in phishing attack. [source]

  
  

(return to health DataMap)



Copyright © 2012-2016 President and Fellows Harvard University.