Friday, October 05, 2007

Microsoft's HealthVault Fault

There has been much press lately about Microsoft's newly launched health Vault Web site designed to allow consumers to store and share their "personal health records" (PHRs)".

Over the years, several different companies and organizations have tried to offer this kind of service and all have failed to generate much interest among consumers.

According to a Wall Street Journal article:
"Microsoft Corp.'s quest to be a player in health-information services faces a broader challenge already rankling the health-care industry: how to collect information that many consumers don't even share with their families.

'The service throws Microsoft into a crowd of insurance companies, employers, Internet companies, start-ups and tech companies trying to provide digital-health records to patients and consumers. Included are Aetna Inc. and WellPoint Inc., which hold billing and claims data that they are trying to use to build personal-health records, and newcomers like Microsoft and Google Inc., which says it is working on a system but hasn't disclosed specific plans." (See "Microsoft's Health Push Faces Obstacles".)
As the WSJ article points out, one concern for consumers is privacy. And consumers SHOULD be concerned, especially with a service offered by a company well-known for security lapses and violation of EU and FTC privacy laws and regulations.

You may recall that both the EU and FTC sued Microsoft over its Passport identification and authentication system (see EPIC's "Microsoft Passport Investigation Docket") -- the same system Microsoft uses for the HealthVault registration process. According to the HealthVault privacy policy:
To sign into the Service, you are asked to enter an e-mail address and password, which we refer to as your Windows Live ID or your Microsoft Passport Network credentials. After you create your Windows Live ID, you can use the same credentials to sign in to many different Microsoft sites and services, as well as those of select Microsoft partners that display the Windows Live ID or Microsoft Passport Network logos. By signing in to one Microsoft site or service, you may be automatically signed in when you visit other Microsoft sites and services.
Aside from the privacy and security risks inherent in centralized storage of personal information -- that's what Passport does -- there is the issue of who benefits the most form HealthVault, the consumer or Microsoft.

In 2001, EPIC filed complaints alleging that the Microsoft Passport system facilitates online profiling. EPIC claims that Microsoft officials have stated that the goal of the system is to create a profile of every Internet user, to upsell individuals to subscription accounts, and to engage in ad targeting of Passport members.

Numerous surveys indicate that the vast majority of Internet users seek health information online. Consequently, the quickest way to sign up a majority of Internet users to Passport is through so-called "online health services" like HealthVault.

But consumers see very little benefit in having an online PHR. As reported by the WSJ:
"Consumers are just not that excited about these services," said Elizabeth Boehm, an analyst at Forrester Research Inc. A scant 6% of consumers used a Web-based program or personal-computer software to track their health and medical information, while 94% said they use paper-based methods, according to a Forrester survey of 10,400 North American households in 2005.
Anyway, why would you entrust your personal health information with a technology company known to be prone to privacy and security lapses? Wouldn't it make more sense to go with a service from a company with healthcare experience like Aetna or Wellpoint? While you may not trust health insurance companies, at least these companies must comply with health information privacy and security standards set by HIPAA and they have a good incentive to protect their clients' privacy -- unlike Microsoft, their business depends upon it.

What about Google? They also plan to offer a similar service to consumers.

I don't think too much of Google's healthcare savvy (see "Google's Old School Health Advisory Council"). But, more importantly, Google is competing with Microsoft and is sticking its nose into the health arena as part of its own plan for world domination of the Internet.


  1. Looks like my community of people with diabetes is EXTREMELY SKEPTICAL. We would actually be the people who most need a service like this, to record our glucose data, but most said they don’t trust Microsoft to A) make software that works and isn’t buggy and a security risk and B) to provide a service that isn’t primarily about making money for them and their partners.

    See some slightly more aggressively worded reactions here:

  2. Anonymous5:02 AM

    The biggest risk isn't from Microsoft being the bank actually but from all of the little companies and non-profits viewing this as a good way to harvest information.

    Here for example is what the American Heart Association says about the data they will collect from people who use their blood pressure program with Microsoft's Health Vault

    (c) The AHA owns all Personal Information provided to it by individuals. When an individual provides Medical Information to the AHA, the AHA will ensure that the individual acknowledges their assignment of the right to use the data to the AHA.

    Here is the most troublesome part

    Allowing the AHA to use and store this personal and medical information from your Microsoft Health Vault Account means that AHA can send you health educational information targeted to your health condition(s).

    The information you share with the AHA includes personal demographic information such as your name, gender, ethnicity, birth date, home and e-mail addresses, zip code, and household income level.

    This information also includes your medical information such as height, weight, blood pressure values, nutrition values, cholesterol levels, physical activity, medication use and type, diet, renal disease and diabetes, and whether you have a family or personal history of heart attack or stroke and whether you have health insurance or a caregiver.

    Clearly they want to harvest your medical data for other purposes as stated below

    -The personal and medical information you authorize AHA to copy from your Microsoft Health Vault account will be stored by AHA in its own databases on its own servers or servers of third parties under contract to AHA.

    -AHA, including its local affiliates, may send you personalized health educational and other materials targeted towards persons with your health conditions.

    -AHA, including its local affiliates, may send you personalized information related to research studies being conducted by third parties related to your health condition(s). If you want to participate in such studies, you will be asked to opt-in to provide information about yourself to the third party and receive additional information about the research study.

    -AHA, including its local affiliates, may send you personalized information regarding opportunities to support the mission of AHA, either financially or by volunteering for AHA events and activities.


Related Posts Plugin for WordPress, Blogger...