PatientsLikeMe Is More Villain Than Victim in Patient Data "Scraping" Scandal

The Wall Street Journal caught Nielsen "scraping" personal data from PatientsLikeMe.com, a site where people with medical problems go to discuss their meds and symptoms. But don't kid yourself that PatientsLikeMe is the victim here: Its entire business model is about selling private patient information to the highest bidder.

The Journal makes Nielsen's spying sound sinister: Its BuzzMetrics and NM Incite units opened up three personal accounts at PatientsLikeMe and then lurked in chatrooms and on bulletin boards, copying (or "scraping") everything it found and selling the data to its unnamed clients. PatientsLikeMe sent Nielsen a cease-and-desist letter. NM Incite CEO Dave Hudson sounds like a peeping tom who got caught crouching at the window sill:

"It was a bad legacy practice that we don't do anymore," says Dave Hudson, who in June took over as chief executive of the Nielsen unit that scraped PatientsLikeMe in May. "It's something that we decided is not acceptable, and we stopped."

Bad Nielsen! Slap on wrist and go stand in the corner! What the article doesn't make clear is that PatientsLikeMe makes its money by persuading patients to give up the kind of private data that once rested securely in a locked filing cabinet in your doctor's office but that is increasingly making its way online. PatientsLikeMe is quite open about this: It actually says "Share your health data" on its homepage. Here's how PatientsLikeMe says it makes money:

We take the information patients share about their experience with the disease, and sell it in a de-identified, aggregated and individual format to our partners (i.e., companies that are developing or selling products to patients).

Clearly, its clients are drug companies who want to know what patients say about their drugs when they're not around. Here's what type of data PatientsLikeMe scrapes from its own site for its clients:

Condition/disease information, including diagnosis date, first symptom information, and family history
Treatment regimens, including treatment start dates, stop dates, dosages, and side effects
Symptoms experienced, including severity and duration
Laboratory results (e.g. CD-4 count, Viral Load)
Biographical information, including photo, bio, gender, age, location (city, state & country), and general notes
Genetic information, including information on individual genes and/or entire genetic scans

In other words, everything you'd need to specifically identify an individual patient except for their name. And you can get their name by hiring PeekYou, a service that uses this system (click to enlarge) to reverse-engineer personally identifying information from "anonymous" user information -- such as passwords* screennames, family names and dates of birth -- commonly found all over the web.

PatientsLikeMe chairman Jamie Heywood told the Journal he's shocked -- shocked! -- that Nielsen would try to do exactly what he's already doing:

We're a business, and the reality is that someone came in and stole from us.

That in a nutshell is the real issue here: There was no privacy violation. Rather, Nielsen found a way to extract PatientsLikeMe's data without paying PatientsLikeMe to do so.

There are lots of privacy scandals in the drug business -- such as the impending national database of flu sufferers, Amgen's medical record fishing expeditions, and prescription data mining -- but this isn't one of them.

Disclosure: The author was an employee of a different unit of Nielsen until 2007.
*Correction: PeekYou doesn't collect passwords. My bad! It collects the type of information that's commonly found on the web not private information. PeekYou also says it does not sell birthdate information, although it plainly collects that information.

Related:

Image by Flickr user Alan Cleaver, CC.

More from CBS News