It’s been more than a year since COVID-19 began its unbridled spread. Early in the pandemic period, surging infection rates left much of the global population in lockdown, spurring new highs in boredom-driven dependence on electronic devices. Some hackers wasted no time in responding to the crisis by creating malware-embedded COVID-19 phishing emails, withholding patient health information for ransom, and otherwise seizing on the novel vulnerabilities experienced by an overwhelmed healthcare industry. Against this backdrop, both major US political parties submitted bills aimed at addressing a growing technological concern: the privacy of consumer health data during the pandemic
As of the time of publication, with some 48% of the country now fully vaccinated and the national mask mandate having been lifted, we are seeing the return of some semblance of normalcy. Looking back on the chaotic nature of cybersecurity attacks on hospitals and at the resulting health information that was exfiltrated, we have to ask: what ever happened to those health privacy bills?
A sample of the privacy incidents
On February 3, 2020, the US declared a public health emergency due to COVID-19. Unfortunately, such a crisis is the most profitable time for hackers. Employees using Office365 were targeted with a phishing email that read, “COVID-19 Training for Employees: A Certificate for Health Workplaces.” Over 250 US hospitals were affected by one trojan virus that exfiltrated patient data and triggered ransomware that locked out health professionals. Researchers identified two remote-access trojan viruses attached to emails that claimed to have government information about the coronavirus. Another team spotted a phishing email intended to lure recipients into filling out a form to receive their vaccine appointment. Yet another group found that bad actors promoted a version of legitimate software containing coronavirus-themed ransomware. As some colleges were targeted with ransomware hidden in fake COVID-19 surveys, other universities started warning their staff and students about pandemic- and vaccine-related scams attempting to obtain their personal information. The Centers for Disease Control and Prevention (CDC) even put out a notice warning consumers about scams and phishing emails from phone numbers and email addresses that appear to be from the agency. Out of the over 13 million malicious incidents related to COVID-19 and detected by McAfee, about three million occurred in the United States. Cybersecurity and privacy are often conflated, but in this case they do overlap. Hackers will continue to target countries with poor cybersecurity postures because of the ease of data exfiltration, the minimal or nonexistent repercussions, and the relatively high payoff that is consumer data. One way to discourage bad actors in the immediate future is to mandate better cybersecurity practices and thus protect consumer privacy, especially private health information during a global pandemic.
The proposed bills
Senate Republicans proposed a bill that would “protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data” during the pandemic, intending to protect the information that is collected and processed for contact-tracing programs. Their COVID-19 Consumer Data Protection Act of 2020 was introduced that May and was referred to the Committee on Commerce, Science, and Transportation. A week later, Senate Democrats introduced the Public Health Emergency Privacy Act, which would require covered organizations to follow privacy, confidentiality, and security requirements for COVID-19 emergency health data linked to an individual or device, and grants injured consumers a private right of action. Both bills require express consent, a privacy best practice in which a company explicitly asks a consumer for consent before collecting, using, or sharing their data, and both aim to protect consumer health information. The Public Health Emergency Privacy Act even had an identical bill introduced in the House. Congress introduced 116 other pandemic-related privacy protection bills and resolutions in the 2019-2020 session.
Not one of them was passed in that session.
Congressional stalemate
The anticlimactic ending to this legislative saga may be attributable to anything from partisanship to bigger ticket items like passing pandemic-related economic relief bills. Clearly still an important issue at the start of 2021, health privacy efforts did not stop when the new session began. In fact, 94 bills and resolutions have been introduced so far in the 2021-2022 Congressional session by both Republicans and Democrats. The Protecting Personal Health Data Act would direct the Department of Health and Human Services to “regulate consumer devices, services, applications, and software that. . . primarily collect or use personal health data.” The 2021 Public Health Emergency Privacy Act, introduced in both the House and Senate, would require organizations that collect, use, or disclose emergency health data to follow privacy best practices like obtaining affirmative express consent and limiting collection and use of such data. The House version of this bill has even been referred to the Subcommittee on Consumer Protection and Commerce. The Stop Marketing and Revealing The Wearables And Trackers Consumer Health (SMARTWATCH) Data Act bill would, as the title suggests, prohibit companies from sharing or selling consumer health information, including non-aggregated data and biometric data taken from wearables like smartwatches, without informed consent from their consumers.
The influx of new pandemic-related privacy bills introduced this year and the steady stream of COVID-19-related cybersecurity incidents since early 2020 illustrates that consumer data privacy issues will not disappear, even as pandemic concerns might. Both parties in Congress have recognized this and seem to be continuing efforts on this front. Privacy is neither a partisan issue nor a particularly pressing one, unlike gun reform after mass shootings or mask mandates during a pandemic. As the novel coronavirus becomes contained, we may see fewer fatal events in the coming months, which in turn would allow consumer privacy bills to gain more traction. With more public attention on the vast amount of data that has been collected, we may see a solution yet.