Two years after approving it, the 28-member European Union will begin enforcing its General Data Protection Regulation (GDPR) — a tough new law that aims to protect the EU’s 512 million citizens, including rare disease patients, from having their medical records misused, sold, or subject to extortion by hackers, third parties or unscrupulous doctors.
The GDPR, which takes effect on Friday, May 25, follows several major hacking scandals that exposed the private records of millions of patients from India to Norway to the United States. Its enforcement is particularly relevant for rare disease advocacy groups that run patient registries.
And it’s not just European groups or companies that need to be concerned. Any healthcare organization — including those based in the United States — that targets or collects data belonging to patients from any EU-member nation are subject to the regulation, which requires all companies to gain “explicit consent” to collect such data.
“We as patients get more rights, but doctors have more regulations, and there are serious penalties,” said Sarunas Narbutas, president of the Lithuanian Cancer Patients Coalition. “The way you used to do it won’t work any longer. If you’re a doctor or a manager of a hospital, take it seriously … because it’s not just you, but a reputational risk that could spill over. You need to set your safety standards much higher.”
Narbutas was one of four experts to discuss the GDPR and its implications at a May 11 panel during the recent 9th European Conference on Rare Diseases & Orphan Products in Vienna.
Under the GDPR, he noted, fines for security breaches can range up to €20 million ($23.5 million) or 4 percent of a company’s annual revenues, whichever is greater.
Among recent abuses, a diagnostic lab in India was hacked in late 2016, leading to the leak of confidential details on 35,000 patients — including the results of HIV tests. In Norway, cybercriminals exposed the medical records of 2.9 million citizens, nearly half the country’s population, in a massive security breach earlier this year.
Potential fines in the billions?
In yet another glaring example, the unencrypted recordings of discussions from 2009 to 2015 between doctors and patients at Lister Hospital in Hertfordshire, England — regarding fertility treatments — were sent to an audio transcription service in India. These confidential discussions later ended up online and public.
HCA Healthcare UK eventually incurred a fine of £200,000 (about $268,000). But since the hospital is a subsidiary of Nashville-based HCA Healthcare, with 2016 revenues of at $41.5 billion, under GDPR the company could have faced potential fine of $1.6 billion.
“We’re not saying in any way that doctors are bad or want to willfully misuse data. But sometimes they unwittingly break the law,” said Petra Wilson, director of Health Connect Partners UK. “Once the GDPR comes into effect, you as a doctor have a duty to inform the patient about what data you’re collecting, why you’re collecting it, and who you’re going to share it with. And as a patient, you have the right to access your information, correct it and — in some cases — delete it.”
Wilson noted that rare disease patients often know a lot more about their conditions than do the people treating them.
“If I’m a doctor running a hospital or a clinic, I now have a legal duty to operate state-of-the-art security. That means I’ve got to trust the people I’m buying the software from that it is secure, and I need to reassure my patient about that,” she said. “If I get it wrong and there’s a major data breach, the fines are significant.
“We must do everything we can to maintain a patient’s trust so we can continue to collect data.”
Current rules ‘clearly not enough’
Even if patients don’t sign a consent form, their medical records may still be shared, Wilson said.
“Consent is only one of the six legal bases for sharing sensitive health data,” she said. “You can share data if you are a healthcare professional for purposes of treating that patient. You also don’t need consent if you have a public health interest, or a vital interest. But ethically, if we want to nurture the trust of patients, asking consent is a good thing.”
In the U.S. alone, more than 5.5 million patient records were breached last year in 477 incidents, according to Protenus Breach Barometer in Baltimore. Insider wrongdoing accounts for 37 percent of such incidents, said the company, while business associates and third-party access to health data were also major sources of security breaches in the healthcare industry.
Experts at the Vienna meeting said it’s no longer enough to prove that a patient signed up for and agreed to a specific procedure; doctors now must prove that the patient understood what was going on.
“We already have lots of rules and regulations, but clearly it’s not enough. Sometimes, things go terribly wrong,” said Marc Hanauer, chief technology officer at Orphanet, a Paris-based internet portal for rare diseases and orphan drugs.
“We use IT tools and social networks for our needs and concerns, but people constantly share health data without noticing how much they share and to whom,” he said. “People are sharing too much on Facebook — their kids’ pictures at hospitals and lab results online with the name of the clinic.”
Rare diseases and data sharing
In a widely publicized case last year, unknown hackers broker into the servers of a Lithuanian plastic surgery clinic. They stole more than 25,000 private, intimate “before and after” photos — along with personal data such as home addresses, emails and phone numbers — of British, German, Danish and Norwegian patients.
Victims were told to pay up to €2,000 ($2,400) to prevent nude images, passport copies, social security numbers, and other data from being made public, said Marius Parescius, CEO of Lithuania’s International Security Cluster. Three people were eventually caught, he added, including a surgeon who had previously worked at that clinic.
Despite the risks, studies show that rare disease patients widely support data sharing.
Sandra Courbier, senior manager at the Eurordis Rare Barometer Programme, said that in a recent survey of 3,212 such patients from 63 countries, 37 percent of respondents had already participated in a research study. Of those, 18 percent said they had participated in research to develop treatments and therapies.
“Rare disease patients expressed privacy and confidentiality concerns,” Courbier said. “They are looking for safeguards to minimize risks. But in the end, there is a broad consensus that the benefits of data sharing are always higher than the risks.”
Several advocacy organizations maintain patient registries, including Parent Project Muscular Dystrophy (for Duchenne muscular dystrophy); the ALS Association (for amyotrophic lateral sclerosis); TREAT-NMD Neuromuscular network (for spinal muscular atrophy); the Cystic Fibrosis Foundation (for cystic fibrosis); the Pulmonary Hypertension Association (for pulmonary hypertension); and the Pulmonary Fibrosis Foundation (for pulmonary fibrosis).