The use of wearable activity trackers has exploded in recent years, driven in part by their role in corporate wellness and fitness programs that incentivize healthy behavior.
While public concerns have arisen about the availability and use of social media data, genomics information and family history, not as much has been made of the kinds of data collected by activity trackers like Fitbit or the Apple Watch.
Device makers have long said that this information been scrubbed of identifying markers. But, as it turns out, this physical activity data can still be linked to an individual, and potentially their private medical information.
Researchers successfully used AI analysis tools to re-identify people using their activity tracker data by learning their daily footstep patterns and tying that info to demographic information, according to a recent study published in JAMA.
“Through my research in personalized chronic disease intervention and through discussions with various folks, we found there’s an unclear question around this physical activity data and concerns on whether it’s safe to share or not,” one of the study’s authors, UC Berkeley Professor Anil Aswani, said in a phone interview.
The researchers laid out a scenario in which an employee participates in a corporate wellness program as part of a way to defray healthcare costs. The program, which uses a wearable device to measure exercise and activity levels, sends that data to the company and the person’s managed care organization.
If the healthcare organization releases that data as part of an anonymized dataset with the person’s medical records, it’s possible to use machine learning techniques to work backwards and figure out the person’s identity and health status. The company could then make employment or career decisions based on ostensibly confidential medical info.
Using 20-minute level activity data, along with demographic information like age, sex, income, education attainment and race, the researchers were able to re-identify around 80 percent of children and 95 percent of adults in their dataset.
Aswani said another potential scenario could be a technology company like Facebook or Google collecting activity data as part of a research project then combining existing data resources – including purchased medical records – to tie a person to their health records and sell that information to advertisers, researchers or other companies.
Aswani said for a corporate wellness program, super detailed activity data should not be needed, with aggregated information over a population serving the purpose of setting insurance premiums while providing stronger protections for individual people. In the field of academic research there exists review boards that keep an eye on potential ethical or privacy considerations.
“The bigger risks are with larger companies, which have inconsistent review policies that are not as rigorous as what’s in place at universities,” Aswani said. “There’s also the risk that Facebook, for example, sells that info or it leaks and others can use the information to deny mortgages or college admissions.”
Risk factors will increase grow with the growing availability of remote monitoring and patient-generated activity data, and the potential for cyber-attacks and security lapses.
This type of research is not particularly new and the study cited similar re-identification efforts using data ranging from genetic data to movie rating data. In one well-publicized case, researchers found that location data from activity trackers, could be used to pinpoint the location of U.S. military bases.
Aswani – who admits to having a fitness tracker himself – said the problem is not that these devices exist, but that the existing privacy framework is not currently equipped to deal with the new types of data being produced, collected and analyzed.
Among the potential reforms to HIPAA pitched by Aswani are expanding requirements past just healthcare organizations and to the new host of companies buying and selling healthcare data, including data clearinghouses and tech firms.
Additionally, he said that HIPAA could be improved by expanding the category of information that the 20-year-old law recognizes as identifying and creating stronger oversight of the judgement of firms who say their technology is non-identifiable.
A followup editorial written in response to the activity tracker study Harvard Medical School Professor Thomas McCoy and Tufts University Professor Michael Hughes stressed the need further technological and research advancements to uphold medicine’s core promises of privacy and confidentiality.
“As digital records enable infinite perfect duplicates, reidentification is a threat that outlives the patient, and over that potentially infinite time scale includes the risk of joining to many data sets, using many computational methods, that could not have been foreseen at the time of initial data collection or release,” the editorial authors wrote.
Photo: exdez, Getty Images