Heart of the matter: who owns your health data?
The titanium metal box implanted inside Hugo Campos' chest keeps him alive.
The size of a wristwatch, the €20,000 gadget houses a generator, circuitry and a battery with thin wires attached directly to the Californian's heart.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
"It took me about a year to get used to the idea of having the implant and understanding how things work," he told EUobserver.
The device - or implantable cardioverter defibrillator (ICD), made by US-based firm Medtronic - is designed to treat dangerous accelerations in his heart rate.
It also collects a lot of data.
An accelerometer inside the device can tell when he sleeps, eats or walks around, when he is quiet or speaking, or if fluids are building up inside his chest cavity.
All of the information is transmitted to the manufacturer via a cloud. It does not go to the doctor, the hospital or the patient.
If something goes wrong, his cardiologist will receive an alert from the manufacturer.
If it is serious, the doctor will inform Campos.
There are many others like him in the US and in the EU. A senior director at Medtronic said her company alone remotely monitors some 750,000 ICD patients worldwide.
There are two more ICD-makers in the US - Boston Scientific and St. Jude Medical.
The only other two firms which manufacture them - Sorin and Biotronik - are based in Italy and Germany.
For Campos, there is something fundamentally wrong with the idea that a private company can own and control his most intimate of information.
There is a worry the ICD firms have too much leeway to hide potential problems.
And there is a broader worry on security.
An Australian hacker in October last year reverse-engineered transmitters to deliver killer shocks to anyone with a pacemaker or ICD within 10 metres of his laptop.
But for others, big data - US health organisations generated an estimated 150 billion gigabytes of information on patients in 2011 - is big business.
It is also an opportunity to make breakthroughs in medical research and to cut the costs of healthcare.
For their part, EU institutions are currently trying to legislate on the complex issues involved.
A new European Commission data protection bill would require ICD makers to share patient information more easily.
But there are many questions to answer.
'We are at their mercy'
Campos has for the past four years been trying to get access to the raw information stored on Medtronic's database - CareLink.
He has not got very far.
"To think that a corporation has more rights or better rights [than I have] on data that is collected from my body is actually a little bit scary," he said.
He suspects that one reason for the firms' reluctance to open up is corporate liability.
"That is the biggest threat to companies - liability - and the patient knowing that the device is not working properly and being able to sue a manufacturer," he said.
"We must rely on the manufacturer to recognise such problems and issue a recall. In a way, we are at their mercy," he added.
ICDs are prone to hardware failure.
Campos said the thin wires that attach the device to his heart are "the Achilles heel" of the system.
The wires, he noted "are very pliable and they often fail and there have been some recent problems with St. Jude Medical and Medtronic."
"The patient may be unaware that the lead has failed but the generator connected to the lead knows there is a problem," he added.
Medtronic issued a major product recall in October 2007.
The problem hardware was already in use in the bodies of over 200,000 patients.
In May 2009, the firm issued a statement that 13 patients might have died because of the defect. Related settlements were finalised in January this year.
It was the "Sprint Fidelis" lead which failed.
A fractured lead can kill a patient if it fails to tell the defibrillator to send an electrical jolt when the heart goes into arrest. It can also send repeated and potentially fatal shocks.
Medtronic had received alerts that Sprint-Fidelis-wired patients were experiencing inappropriate shocks due to lead failure and launched an internal investigation.
It looked at data from a clinical trial involving 650 patients at 17 hospitals and did a subsequent review of data collected via remote monitoring for 25,000 patients with the Sprint Fidelis lead.
The findings led it to issue a recall for all its Sprint-Fidelis-wired ICDs.
Most of the patients involved fed their data into CareLink.
But in some cases industry outsourcing - a small fraction of the patients used a generator made by a competing firm - made it more difficult to react.
"In those cases patient management was more challenging because, even when they had a remote system, data were not collected in the same way," a Medtronic spokeswoman said.
The potential benefits for industry of owning the data are massive.
The size of the data pool and how it is used has implications for healthcare policy makers and healthcare businesses.
Estimates say the US health industry could save $200 billion if more advanced analytics were used on patients' health data in order to see patterns in product recalls.
"There is really a large value for hospitals, doctors, researchers and companies and individuals," Christope Wild, head of information and communication technology at Innsbruck Medical University in Austria, told this website.
He noted that every ICD manufacturer currently has its own data system, making it hard to share and compare data from one system to another, however.
"There isn't a standard to see which data needs to be stored and there isn't a standard to port this data to another manufacturer," Wild explained.
Innsbruck Medical University last year purchased software to trawl manufacturers' websites.
The software logs in with a given doctor's credentials and then pulls raw data from the ICD companies into the given hospital's electronic system.
But it did not work out.
"They had a preliminary agreement with one of the manufacturers last year, but that failed because of the proprietary system of the manufacturer and the hospital. So even if both parties agree they could work something out it still fails because of the different formats," Wild said.
A Dutch cardiologist at the Leiden University Medical Centre also said hospitals struggle to use the different data formats.
The Leiden centre has developed a common standard and is running a pilot programme to implement it at its hospital.
But only four out of the five ICD makers allowed it to run the pilot scheme for free.
Where does the EU come in?
Wild said EU policy makers need a debate on whether collection and storage of data should remain in the hands of ICD firms.
The EU commission's draft regulation would require manufacturers to export data in an easy-to-use and interoperable format.
The bill says data should, where possible, be in an open-sourced electronic format.
But industry insiders say the companies are unlikely to comply.
Meanwhile, European patients have more privacy than American ICD users.
In Europe, the clinic which performed the implant procedure has custody of "personal data" - name, address or anything else which can identify the patient.
The ICD maker has custody of "technical data" - the patient's heart rhythms, how much battery life the ICD has left - and the technical data is "anonymised."
But academic studies have shown that "anonymised" data can in many cases be used to identify people, posing the risk of "profiling."
Profiling is a practice of collecting information about individuals to make assumptions about them and their behaviour.
It is used by private firms who sell data to insurance companies, banks or employers, who can use the information to make commercial decisions which may harm the patient's interests.
The degree of mistrust in Europe is evident in so-called tele-monitoring.
Tele-monitoring allows a doctor to keep an eye on his patient from a distance, for example by checking their ICD rhythms on a website under an agreement with the manufacturer.
Martin Borggrefe - a cardiology professor at University Hospital Mannheim in Germany and vice-president of the France-based European Society of Cardiologists - noted that tele-monitoring can have big advantages.
A patient who consents to it needs to have check-ups at a heart clinic just once a year.
A patient who declines is advised to do them every three to six months.
Borggrefe said: "Medical devices are implanted by a cardiologist or a cardiac surgeon with full consent of the patient. If remote monitoring is offered, the patient signs full consent after discussing all aspects of tele-monitoring."
In the Netherlands, more than 50 percent of people opt in.
But in Germany, privacy worries mean that some 90 percent of people opt out.
Meanwhile, consent standards vary from country to country in the EU.
In some cases, they pose the question of whether a seriously ill person is in a position to make a free, rational and well-informed choice on whether to go ahead.
In Italy, a patient must sign the manufacturer's contract on paper in a doctor's office. But in the Netherlands, a patient simply checks a box on an online privacy disclaimer.
Another question for EU lawmakers is people's "right to be forgotten."
It remains unclear under EU law whether a person who signs a contract with an ICD maker can later exercise their right to have his personal data deleted.
EU law under fire
For Erik Vollebregt of Axon Lawyers, an Amsterdam-based law firm specialising in life sciences, the draft EU regulation has failed to take on board industry's concerns.
He noted that the bill's language on profiling is likely to create even more mistrust.
"If you look at the definition of profiling that is basically a functional description of tele-monitoring," he said.
He also said the EU's "right to be forgotten" conflicts with existing manufacturers' obligations to keep patient data for at least five years after the last device has been placed on the market for quality control purposes.
Vollebregt warned the law as it stands "includes a lot of measures that are not going to work for health policy."
He added: "They don't put enough depth and nuance in the statute to be able to deal with processing of personal data for health care purposes in a rational way."
Other specialists have their own take on the subject.
Annabel Seebohm, a lawyer at the German Medical Association, says people with ICD devices who enter into a contract with a manufacturer become a consumer instead of a patient.
"The patient in this regard is more of a consumer and so the 'right to be forgotten' would apply. It's not a doctor-patient relationship here since it is with the manufacturer," she told EUobserver.
There is equal confusion in the US.
An American privacy law on health information - Hipaa - covers service providers who collect data on behalf of doctors or hospitals.
But when contacted by EUobserver, the US consumer protection agency - the Federal Trade Commission - was unable to say whether Medtronic falls under Hipaa because it is a manufacturer, not a service provider, a doctor or a hospital.
The federal commission was also unable to say what Hipaa means for patient access to health information, such as ICD data.
Amid the uncertainties, Campos' ICD battery has another three years to go.
He told this website he has nothing against tele-monitoring or other leaps forward in medical technology and practice.
But he firmly believes the US and Europe should enshrine patients' access to their data as a "civil right."
"There is nothing more intimate than an implanted electronic device," he said.