Laudator: Werner Hülsmann
The BigBrotherAward 2008 in the “Health and Social Services” category goes to
(“German Employees’ Health Insurance”, DAK, a statutory health insurer),
represented by their CEO, Prof. Dr. h.c. Herbert Rebscher
for the unauthorised sharing of 200.000 chronically ill patients’ data with a private company, without giving information to the insurance customers or asking for their consent.
Imagine this: you’re having a quiet evening in front of the TV. The phone rings, you answer it. A friendly voice tells you that you have been selected for a special offer. So far, the story seems just like one of so many cold calls for a lottery or a newspaper. So what’s this all to do with that German health insurance company? Quite a lot, actually, because this particular call is not about a lottery, but for a health support programme by DAK. Tens of thousands of chronically ill people who are insured with DAK have received these calls since January this year, and the callers have been from a company called Healthways International GmbH (Ltd).
It’s not just the name that sounds American, the company is actually a subsidiary of Healthways Incorporated, seated in Nashville, Tennessee. A public company founded in 1981, they call themselves “the largest and most experienced provider of Health and Care Support services in the United States”, with 15 so-called “Care Enhancement” centres. Since 3 Dec 2007, their German subsidiary is operating such a centre in Henningsdorf, Brandenburg (near Berlin), modelled after its American counterparts. As Healthways announced at the last “German hospital meeting” (Deutscher Krankenhaustag, an annual event), the goal of their “systematic telephone contacts” is to “support sustained changes in behaviour” in patients. This is intended to lead to significant cost reductions for health insurers. Of course Healthways are in it for the money, too. In 2007, the US company achieved a turnover of 600 million dollars.
So Healthways in Germany are now promoting a health programme for DAK. Again, this is not without self-interest, as the contract with DAK contains “performance-related” factors, according to DAK press spokesperson Jörg Bodanowitz. The programme is targeted at chronically ill patients. The stated aims of the project are to increase quality of life for the insurance members and reduce costs for the insurer. The medium is health advice over the phone. It sounds good at first, but there is more than one catch.
Healthways are not just calling insurance members who have previously agreed to participate in the programme, they are calling selected members to canvass for their participation. This requires information about the insurance members. Indeed, 200.000 records of DAK members, complete with names, addresses, diagnoses and hospital and medication data have been shared, without the patients having any chance to know about this, let alone prevent the transfer.
These items of data are under specific protection (“secrecy of social data”) according to the German Social Code (Sozialgesetzbuch I, § 35). Volumes V and X of the Social Code regulate exactly how health insurers are to treat such sensitive data in special health advice programmes. Health insurers may acquire and store these data themselves to promote these programmes to their members. But in order to share the data with third parties — Healthways, in this instance —, members must be informed. The bottom-line is: Before transmitting DAK data for the purpose of promoting their advisory service, DAK had to obtain the affected members’ consent. This was not done; the above-mentioned calls were actually an attempt to get members to participate in these health advice programmes.
If that were not enough, a second omission suggests that DAK are not taking their information duties towards their members very seriously. If members are persuaded by the Healthways campaign and agree to participate in the advisory programme, the paperwork they then receive still does not indicate that a commercial company is carrying out the consultation. As affected insurance members have told us, there is no mention of Healthways or of personal data being shared.
How DAK are dealing with these issues is interesting: During a June 2008 “action day” of “Hausärzte Plus”, a family doctors’ association, Gerhard Eiselen of Healthways Ltd confirmed that they had received data from DAK, an incident that Germany’s Data Protection Commissioner, Peter Schaar, called questionable with regard to data protection laws. He also communicated his concerns to DAK on 10 June.
But DAK insists, according to their head of IT services, Dieter Schütt, that what they did was not an illegal transfer of personal data. Healthways, he said, had received the data for a commission of “data processing by proxy”, making Healthways what is called an “equal party” in data protection law. An act of verbal hair-splitting, because the conversations in which Healthways promotes their advisory programme to would-be participants are surely more than just data processing, often actually involving some initial medical consultation.
For that reason, the Federal Data Protection Commissioner Peter Schaar is not going to buy these excuses. He sees the calls as “influencing the insurance members’ behaviour” and not an act of automatic data processing on DAK’s behalf. But that does not bother DAK one little bit. They don’t believe it is the Data Protection Commissioner’s job to pass judgment on their actions with respect to data protection law. This statement by Dieter Schütt is not just brazen, it is simply wrong. While it is true that general supervision of health insurers is the task of a different authority (the German Federal (Social) Insurance Office, Bundesversicherungsamt, BVA), data protection issues still are in the remit of the supervisory authorities for data protection as well.
In any case, there is no way of changing the facts: DAK’s unauthorised sharing of 200.000 insurance members’ records with Healthways is a violation of the secrecy of social data. And the fact that they have tasked a commercial third party with the operation of an advisory programme, and the affected insurance members are not informed about this, even is a grave violation of the secrecy of social data!
Congratulations, Professor Rebscher.