NEW YORK – Wendy Schobert got a sinking feeling in her stomach the day a local health clinic showed up at her office to collect detailed medical information on her and her co-workers as part of the company's new wellness program.
If she didn't participate, she'd have to pay the full cost of her insurance — $5,000 a year. Even so, Schobert said she feared her health data wouldn't be kept confidential, so she accepted the insurance cost and opted out.
"There is nothing I was hiding about my health other than that it is none of your business," said Schobert, who filed a complaint against her former employer, Orion Energy Systems Inc., with the U.S. Equal Employment Opportunity Commission. "My health information is between myself and my doctor."
Schobert's fears are well-founded, security analysts say. The recent hack of Sony Corp. — in which health information on more than three dozen employees was stolen from the company's servers — is highlighting the amount of medical data proliferating outside of doctor's offices in electronic form, and how vulnerable the records are to theft. Corporate wellness programs have become one of the biggest areas where health data is collected, with hundreds of vendors amassing millions of pieces of intimate health information on U.S. workers.
"Thirty years ago, our medical records were in a file cabinet behind a door and they were harder to get to," said Geoff Hancock, chief executive at Advanced Cybersecurity Group, who works with employers to protect their health data and other sensitive information from hackers. He was speaking about the industry in general. "Now it's zeros and ones. So many more people have access and can take it and make money off it, or manipulate it, or use it to find out who you are and what you are about. It is one of the biggest holes in the cybersecurity infrastructure."
About 80 percent of large employers are running wellness programs that ask workers to share detailed health information on themselves, and about a third of them require employees to pay additional costs of as much as $1,600 a year for not participating, according to benefits consultant Towers Watson. The data collected can get quite personal, based on interviews with wellness vendors and questionnaires reviewed by Bloomberg News: Do you ever drink and drive? Are you sexually active? What diseases have you been diagnosed with? Are you experiencing stress at home?
Employers and the outside vendors they hire to gather wellness data say the information is kept confidential, often under the same standards that health insurance companies and doctors must follow for storing private health information.
Now U.S. regulators have begun challenging the legality of some programs that require additional costs or eliminate discounts for employees who don't share their information, and employees are pushing back over fears their medical information could be used to discriminate against them or fall into the hands of hackers.
As health insurance costs have climbed, companies have turned to outside vendors that promise to identify employees most likely to have high medical bills and offer tips and coaching to help them improve their health. That's created a $6 billion industry with hundreds of companies devoted to offering wellness programs, according to a study by Rand Corp. To identify those high-risk workers, wellness companies say they have to conduct screenings of a client's entire workforce.
Employers that use wellness programs say they never see an individual's health information, which is typically stored with an outside vendor or health insurance company and protected by the Health Insurance Portability and Accountability Act, a federal privacy law that sets standards for how medical information is stored and shared. Instead, they get aggregated data to help them better understand the health needs of their workforce for planning purposes, said Gretchen Young, a senior vice president of health policy at the Erisa Industry Committee, which lobbies on behalf of the benefits interests of major corporations.