Medical privacy and breaches of personal health information (PHI) has been a hot topic for several years. For the clinical trial industry, the main concerns are decline in recruitment resulting from lack of confidence in data handling and instances of breaches that affect data integrity that adversely affect NDA and MA applications in major markets, which precipitates administrative action taken by national regulators in response to local incidents. European legislators rely extensively on administrative measures implemented by national competent authorities. Although specific and detailed EU-level legislation exists, specific information about data breaches, cases and incidents, volume and type of affected data, root causes and analysis of consequences is largely missing. According to Howard and Gulyas (2014), this lack of organized event records is currently an empirical obstacle but provides opportunity to generate new knowledge about data and privacy protection that could bolster future trial recruitment. In the U.S., summary details of breaches that involved more than 500 individuals are available at the OCR portal called Wall of Shame for everyone to analyze. Disclosure obligations in HIPAA made the problem of data breaches in healthcare obvious and protection of the privacy of patients has been an important part of physicians’ code of conduct. This offers lessons learned to mitigate systemic vulnerabilities that undermine trial participation.

1. Why merging medical records, hospital reports, and clinical trial data is a very bad idea.
Published 24 Sep 2017 at Flaskdata.io
Medical privacy and breaches of personal health information (PHI) has been a hot topic for several
years. For the clinical trial industry, the main concerns are decline in recruitment resulting from lack
of confidence in data handling and instances of breaches that affect data integrity that adversely
affect NDA and MA applications in major markets, which precipitates administrative action taken by
national regulators in response to local incidents.
European legislators rely extensively on administrative measures implemented by national
competent authorities. Although specific and detailed EU-level legislation exists, specific information
about data breaches, cases and incidents, volume and type of affected data, root causes and
analysis of consequences is largely missing. According to Howard and Gulyas (2014), this lack of
organized event records is currently an empirical obstacle but provides opportunity to generate new
knowledge about data and privacy protection that could bolster future trial recruitment.
In the U.S., summary details of breaches that involved more than 500 individuals are available at the
OCR portal called Wall of Shame for everyone to analyze. Disclosure obligations in HIPAA made the
problem of data breaches in healthcare obvious and protection of the privacy of patients has been an
important part of physicians’ code of conduct. This offers lessons learned to mitigate systemic
vulnerabilities that undermine trial participation.
New EU legislation on data privacy, including PHI, is very thorough and detailed. The regulation
provides for numerous exceptions for handling PHI for variety of legitimate purposes including
scientific research. Important objectives of public interest including public health research
override data subject’s rights, including the right to be forgotten. Recognized risks to data subjects
include discrimination, identity theft or fraud, financial loss, damage to reputation, loss of
confidentiality and economic or social disadvantage. Appropriate measures against unauthorized
disclosure, theft or loss of data shall include organizational measures, certification, secrecy clauses
in contracts, codes of conduct, design of applications, and data pseudonymization and encryption.
Processing of high-risk data also requires impact assessment. Data breaches are reportable to
national supervisory authorities. Only high-risk data breaches are subject to notification to the data
subjects. Breach of personal data may result in high administrative fines for the controllers and/or
processors as well as liability for material and non-material damage caused to data subjects. The
regulation makes no mention of a pan-European registry of personal data breaches. To ensure
consistency of enforcement across the 28 EU Member States, the European Data Protection Board
shall maintain a registry of decisions of national supervisory authorities and court rulings in data
privacy matters.
Scientific research, specifically clinical trial data, is subject to yet another set of rules. In 2014, the
European Medicines Agency (EMA) developed Policy 0070 on publication of clinical trial data. The
policy covers both clinical reports and individual patient data, submitted under the centralized
marketing authorization procedure or as part of Article 58 procedure (Reg. 726/2004), including
extension of indication and line extension. In addition, the policy covers data submitted by a third
party in the context of Market Authorization Application or post-authorization procedure or as
additional clinical data for scientific assessment. To access the database, users can choose from two
options: general information and other non-commercial purposes and academic and non-commercial
research purposes. The user has to promise that he or she will not download, save, edit, photograph,
print, distribute or transfer the clinical reports, and will not seek to re-identify the trial subjects or other
individuals from the Clinical Reports in breach of applicable privacy laws.

2. Although it may not be self-evident from reports available in Europe, experiences from the other side
of the Atlantic show that exploitation of medical data for nefarious purposes is on the increase. Value
of medical records on the black market is 60 times higher than credit card data. Cybercriminals are
increasingly using stolen medical records for healthcare fraud, identity theft or fraudulent tax returns.
Medical data typically include many details such as family and employment history, next of kin,
addresses and phone numbers. Medical identity theft and record tampering can be life threatening.
What makes the situation even worse is limited ability of health data controllers and processors to
detect data breaches in real time. According to Verizon report, two thirds of healthcare data breaches
go undiscovered for months or even years. The Verizon Enterprise Solutions’ inaugural Protect
Health Information (PHI) Data Breach Report found more than 392 million medical records were
disclosed during 1,931 data breaches over a 20 year period across many market sectors and
businesses worldwide.
In 2012, a well-publicized UK breach caused concerns over insecure transfers and processing of
medical records by a consulting firm using Google BigQuery. The dataset in question contained all
three areas of collection (inpatient, outpatient and A&E) and the system was able to provide detailed
analysis including linking the data to Google maps. The incident called into question NHS care.data
initiative despite reassurances that the data shared for research purposes were anonymized.
The re-use of medical records for public health research is encouraged in the new data privacy law,
explicit consent of data subjects is not required. The EUROREC Institute (EuroRec), a not-for-profit
organization, that promotes the use of high quality Electronic Health Record systems (EHRs),
published on its webpage a series of papers on the enhancements allowed by technological platform
EHR4CR. According to HRS (1999), consent requirement to access medical records for
observational studies does indeed lower trial participation.
In 2014, RAND Europe completed a pan-European survey of 26,000 EU citizens to explore their
views on data privacy and security. The respondents were presented with choices in real-life
scenario of health data storage on a device that would provide access to specified categories of
medical and fire and rescue personnel. In general, respondents preferred to store only basic health
status, identification, and lifelong health conditions, but not other health conditions and medical
history. The overall pattern is that respondents would restrict access to medical personnel only and
would not share their data with insurers, academic research companies, and pharmaceutical
industry.
According to Verizon report, people are withholding information – including critical information – from
their healthcare providers because they are concerned that there could be a confidentiality breach of
their records.
UK attitude to health data mining is different, however. NHS European Office facilitates a joint
response between NHS England, the Health and Social Care Information Centre, Public Health
England and the Department of Health, to discuss how proposals to revise the EU law on data
protection could have a significant impact on information governance and management processes in
the NHS. In the UK, the public is increasingly aware of the risks of identity theft and the need for data
security. Electronic systems make confidential data more easily and rapidly accessible to a wider
circle of recipients than paper systems, with greater potential for breaches of confidentiality.
Along with health data breaches, another concern emerged. Experts have pointed out vulnerability of
medical devices such as insulin pumps, defibrillators and pacemakers to hacking, with potentially
fatal consequences for the patient. In 2013, concerns over medical device security led to disabling of
wireless features of Dick Cheney’s pacemaker. In Europe, medical devices are governed by the
Medical Device Directive and medical devices guideline (MEDDEV). The MEDDEV defines the

3. concepts of input data (“any data provided to software in order to obtain output data after
computation of this data“) and output data (“any data produced by a software“) embedded in the new
definition of software. In July 2016, the EC issued additional guidance on qualification and
classification of standalone software used in healthcare settings (MEDDEV 2.1/6). Unpatched
software in medical devices is an important vulnerability that needs to be taken into account during
data collection.
Eastern Europe has its specific challenges when it comes to handling medical records. The systems
are highly centralized, and clinical trial data are often merged with other medical and administrative
information. Totalitarian past, history of politically motivated murders (Bozovic/Loncar, Serbia),
liberally used forced isolation of patients (tuberculosis, psychiatry) or their criminalization (STDs,
substance abuse), poor organizational management practices and minimum accountability for errors,
in combination with outdated equipment and paternalistic approach to patients, make this region
especially vulnerable to exploitation of medical records for illicit purposes. Most importantly, this
troubled local history profoundly affects patients’ trust and willingness to participate in clinical
trials.
Healthcare records are ideal source of information about vulnerable persons for victim profiling and
consequent exploitation by organized crime. The region is a notorious source of sex workers and for-
profit organ donors. In 2013, court in Kosovo found two of the seven defendants guilty of running an
organ trafficking ring. In December 2016, Kosovo's Supreme Court ordered a retrial of doctors and
officials who were previously convicted of involvement in dozens of illegal kidney transplants, to great
disappointment of the European police and justice mission in Kosovo (EULEX) that helped the
Balkan country develop its justice system.
In 1993, the American Psychiatric Association stated that the actions of Bosnian Serb leader "Dr.
Karadzic as a political leader constitute a profound betrayal of the deeply human values of medicine
and psychiatry," and castigated him as "accountable for the policy of ethnic cleansing, organized
rape, mass murder, and the establishment of concentration camps." Disturbing suggestions have
emerged that Karadzic deliberately used his psychiatric training to create military and political
policies that would create fear, terror and extensive posttraumatic stress disorder in civilian
populations (Dekleva and Post, 1997).
Patients’ trust in data management systems and confidence that the data will not be shared
inappropriately is essential to their willingness to participate and to meeting enrollment targets.
Newest developments suggest that the worst is yet to come: three weeks ago, ISIS-linked hackers
going by the name of Tunisian Fallaga Team have attacked and defaced several NHS websites. The
hackers replaced legitimate web pages with graphic photos of the war in Syria. Even if no patient
data is compromised, such incidents have profound impact on public confidence when they occur.
Centralization of healthcare information systems, digitalization, merging previously disparate and
compartmented data pools, and combination of clinical trial data with inpatient, outpatient, A&E and
administrative records in interconnected databases, increases substantially the value of such records
to any threat actors. Vulnerability assessments of information systems need to take into account all
human-machine interfaces, user behavior, awareness and training, and breach detection
mechanisms, as well as historical experience and its impact on patients’ trust and consequently
recruitment of subjects in clinical trials. Opportunity for exploitation increases exponentially with
number of individuals having legitimate access to any one of these interconnected compartments, as
well as number of entities involved in access control. Essential data integrity and security in high-risk
regions is best realized though closed data collection systems, disconnected from all other hospital
information systems that minimize opportunity for improvisation, creative or unauthorized use and
human error.