Private hospitals are now consulting a secret medical credit score from Experian before you even see a doctor. As a patient you do not have access to this score, nor can you see how it is generated. All you know is that you may be denied care, or receive different care, because of it.

In our backward health care system, neither the hospitals nor Experian see any potential issue with this. It helps a hospital's bottom line and that's what counts. They're actually pretty excited about it:

'lo;l

I spoke with Ashley Reede, an information systems and privacy consultant, who worked with a private hospital in California as they were onboarding Experian's 'Financial Clearance' system. What she saw was quite upsetting and she wants people to know what's happening with their data.

"The revenue department came to me and said they were going to start sharing data with Experian," she says. "They wanted approval to send data from reception/patient admittance to Experian to check a medical credit score that's generated and assigned by Experian. Then Experian would send that score back to the hospital."

The Financial Clearance system combines medical records along with the financial records Experian already has on you to calculate the score. Since they have a network of hospitals reporting this kind of data, separate visits to different hospitals by a patient are no longer silo'd. There is now a number, that you can't see, that follows you wherever you go.

"The central issue is that we don't have any actual transparency on what's in the record," says Reede. "I can't see what this is being evaluated on."

And have you ever found anything inaccurate on your credit report? The process to get it expunged is so onerous that many people just leave the false item on the report. But at least in that case you can see what other people see. With this new, arguably more important score, it's secret.

"What if you paid a medical bill and now it's reported that you didn't?" says Reede. "You'd be totally unaware that you have a medical delinquency on your report. You have no recourse and you don't know what you don't know."

The Worst of a Bad Situation

Let's all keep in mind under what circumstances one would be approaching reception at a hospital. There is something wrong with your health, or the health of someone you love, and you're seeking medical care. Under these heightened circumstances, you now have to wait to see if a company thinks you're a good customer for them.

While Reede says this is likely not an issue for larger hospitals that have less financial pressure (although Kaiser Permanente uses this system), it's definitely appealing for smaller hospitals that will notice a hit to their finances if a patient defaults. She also points out that this is for private hospitals, not public.

"This program is most attractive to private hospitals or billers," she says. "Public institutions, like SF General, already have public resource funding to provide universal care."

But without any public pushback, it could conceivably be used for public hospitals as well. In a time where we seem to be burning down any regulation we can find and trying to privatize everything, this is a window into a possible future.

At Least It's Secure, Right?

There are security certifications that most big vendors of Experian's size have. Google, Salesforce, and AWS all have it, and they have dedicated teams that works year-round to get them. As part of her consulting with the hospital in California, Reede had to discuss this certification with Experian.

"Experian had issues with getting their certifications," says Reede. "There were discrepancies. They were having difficulty administering and patching servers within their environment. While that is a common occurrence in IT Security, it does create vulnerabilities and can create opportunities for data loss."

Experian's infrastructure that handles regular credit scores does have these certifications, but the medical score system did not.

"Even if we were 100% comfortable that they're using data like this, the fact that they might not have updated encryption servers for this information is more troubling than them just having access to the information."

It's conceivable that Experian has since fixed their issues since last summer, but we just don't know. And it's just not how we expect things to work. We expect our personal data to stay at the hospital. We don't anticipate that it might be shipped to a less secure third-party.

"As consumers, we need to be aware of the records being kept on us," says Reede. "Medical providers have an unparalleled access to your sensitive information – they have your credit card, social security number, the last four times you've been to the doctor. We need to know how they're used and how information outside the protections of HIPAA are stored and disseminated."

And the seeming lack of care with security is just the tip of the iceberg. There's a general absence of accountability in this type of system. Along with Google's 'Project Nightengale', we're seeing our medical data being used in unpleasantly surprising ways. And who controls what people are allowed to do with it?

"We're really relying on other people's ethics," says Reede. "There's no built-in controls for this program. It's like, trust us, we're ethical people. But if there's abuse there's no real mechanism to stop that."

Track You Down

The Financial Clearance product is just one of the services Experian offers. Their 'Return Mail' service will also help hospitals track down patients who have not paid their bill.

So if you have a pending bill at one hospital and then go to a different one, not only will you possibly be denied care in that moment, but the first hospital gets notified of your visit.

"Experian aggregates data from other sources as well so that you're always trackable and traceable," says Reede. "In effect, you can't run from your bill." If you're in the finance department of a hospital this probably sounds pretty good. As a patient, it adds more anxiety to an already stressful situation.

What to do?

To be fair to Experian, this type of service is almost an inevitable downstream consequence of our health care system. Once you start running a hospital like a business, you create an environment of perverse incentives. Care is no longer solely based on what's best for the patient, but how that patient's care relates to the hospital's finances. So wealthy people get access to better care and everyone else has to take whatever is available.

This is not necessarily a Bad Actor problem (aside from the potentially insecure servers) but more of a Bad System problem. Healthcare is categorically different than other kinds of services. It's intimate, private, and the stakes are potentially life and death. Many lives are forever changed by medical events. It's not a just a ride to work or a dinner at a restaurant.

"Take Uber, for example," says Reede. "Last night I was at the Warriors game with my friend and we both called one. I have like a 4.8 Uber score and she has a 4.6, but my Uber was going to be in there in five minutes while hers was going to take 15. We've both been arbitrarily assigned a score based on information not transparent to us and our service is directly correlated with that. Is that how we want health care to work?"

I vote no, though I'm not sure how we avoid that fate without universal health care. I could tell you to call your congress person or whatever but you won't. Neither will I. With our current healthcare system, the best advice is, "Just don't get sick."

If you have tractable action for readers to take who find this upsetting, you can comment in our forum, Hacker News, or Reddit.

Cover image by JAFAR AHMED on Unsplash