Even worse, half of all US states leave enough information in the records that YOU can be clearly identified. Action Alert!

Hospitals and other medical organizations are supposed to be bound by HIPAA (the Health Insurance Portability and Accountability Act) to keep medical records private. Patient information that is shared is supposed to be stripped of key identifying information (this is known as the Safe Harbor rule). However, HIPAA and other privacy legislation is riddled with loopholes—so many that it has been estimated that over 800,000 organizations can access your records.

Here is one big, fat loophole: state public health agencies are exempt from Safe Harbor rules when they sell private medical records as part of a health database. When this medical data is cross-referenced with other public information (such as news reports and other databases), it can reveal your identity.

Many states in the US voluntarily follow HIPAA guidelines when sharing electronic medical records, but at least twenty-five states leave some combination of identifying information that makes it possible for whoever buys the data to pinpoint anyone’s personal medical record—and then make it public. Records in Washington, New York, New Jersey, Tennessee, and Arizona were particularly vulnerable, according to records reviewed by Bloomberg News and Latanya Sweeney, director of Harvard University’s Data Privacy Lab.

Who would want this data? The drug industry, for one. Pharmaceutical companies are major buyers of these medical records—they use them to design ads to doctors and target potential patients. Other buyers include IMS Health, a provider of prescription data, also used by drug companies; OptumInsight, a division of UnitedHealth Group, the country’s biggest health insurer; and WebMD, which uses the data to tailor information found on their website.

As the public becomes more aware of just how vulnerable electronic medical records (EMRs) are, consumers may be more reluctant to seek medical care. Patients rely on doctor–patient confidentiality, and that sacred trust is meaningless if one’s information is sold to the highest bidder.