Is Your CPAP Machine Spying on You While You Sleep?
Tony Schmidt is a 59-year-old technology worker from Texas who suffers from sleep apnea, a fairly common medical condition that can interrupt breathing while sleeping. The solution is to use a continuous positive airway pressure (CPAP) machine.
But he discovered something unusual about his CPAC: It was spying on him without his knowledge. The device tracked him when he used it and sent the information not just to his doctor, but to the maker of the machine, to the medical supply company that provided it, and to his health insurer!
After Schmidt registered his new CPAP unit with ResMed, the San Diego-based manufacturer, and opted out of signing up to receive continuing information, he received an email from ResMed congratulating him for using the device for the first time: "Congratulations! You've earned yourself a badge!"
Schmidt next heard from the distributor, Medigy, the company that rented the machine to him, saying that his "machine is doing a great job keeping your airway open," along with a detailed report on his usage.
When Schmidt looked into this, he learned that his health information was being sent not only to ResMed and Medigy, but also to his insurer, Blue Cross Blue Shield. It seemed everyone had some interest in his personal health information. He suddenly learned, without any clear disclosure, that three companies were capturing his health data, not knowing if the data was even encrypted and not knowing what it was being used for.
Blue Cross Blue Shield responded by explaining that it's standard practice for insurers to monitor sleep apnea patients so they can deny payment if the machines aren’t being used properly. And according to privacy experts, sharing a patient’s data with insurance companies is allowed under existing federal privacy laws.
ResMed said once patients provide consent, the company has the right to share the data it gathers with the patients' doctors, insurers, and supply companies. But, like most contracts online, the approvals are buried in multi-page contracts rather than requiring the user to opt in with very clear language. ResMed is the leading device maker of an ailment afflicting about 22 million Americans and is currently monitoring the CPAP use of many millions of patients.
Schmidt returned his new ResMed CPAP machine and went back to using an older model that doesn’t connect to the Internet and uses a memory card to record the data that he can share directly with his doctor.
Between 2001 and 2009, Medicare payments for sleep-related ailments quadrupled to $235 million, leading to more prescriptions for a CPAP. Under Medicare rules, patients need to use the CPAP for four hours a night for a minimum of 70 percent of the nights in any 30-day period within three months of getting the device. Medicare requires that the patients’ doctors confirm the adherence and effectiveness of the therapy.
While sleep apnea experts considered Medicare's requirements to be arbitrary, the practice led private insurers to adopt similar rules, and then to begin verifying usage with data from patients' machines, even without their knowledge.
With the disclosure about Facebook and Google collecting as much as they can about us, the fear is that it would be a short step for them to start collecting health information, which could fetch much more money from insurance companies and others that have a financial stake in our health. With more health-related devices in the home connected to the Internet, the worry is real and present. These devices now include heart monitors, blood glucose meters, Fitbits, Apple Watches, and even apps on our phone. Because of the lack of privacy laws, many are surprised to learn how little control we have over our health data — who has access to it and how it’s used.
Each of these medical devices is a potential minter of money because they collect our health data that can then be sold to anyone willing to pay: insurance companies, drug companies, Facebook, and Google. While there can be legitimate reasons to collect data, we know that there’s too big a temptation for those collecting the data to use it to also improve their profits.
What can we do? When buying a device with “wireless connectivity” consider that a warning, not a benefit. If we don’t connect, these companies can’t monitor us.