TORONTO — A new Canadian study has uncovered how private clinics are giving pharmaceutical companies access to millions of Canadians’ health records—often without patients’ awareness or consent.
The peer-reviewed study, led by Dr. Sheryl Spithoff at Women’s College Hospital in Toronto and published in JAMA Network Open, reveals how patient data is quietly being converted into a commercial asset. Through interviews with stakeholders in the medical records industry, the researchers found that private, for-profit clinic chains are partnering with data brokers and pharmaceutical firms to monetize electronic medical records.
“This is really an area where we need transparency,” said Dr. Spithoff, warning that patient data—though stripped of personal identifiers—is still being used in ways that serve the interests of drug companies and not necessarily those of patients or the public health system.
Researchers identified two business models. In one, private clinics sell de-identified patient data to third-party companies, who then analyze and resell it to pharmaceutical clients. In the other, the clinics are owned by the same parent companies that collect and leverage the data—giving corporations direct access to clinical information at the source.
In both scenarios, the study found, patients were not informed or given any role in decisions about how their medical records were used.
Health law experts say the findings raise serious ethical and legal questions. Matthew Herder, director of the Health Justice Institute at Dalhousie University, said the data-sharing arrangements risk tilting patient care toward commercial interests. “This paper is starting to bring to light what’s really going on,” Herder said, adding that the lack of transparency is especially concerning.
Lorian Hardcastle, associate professor of health law at the University of Calgary, called for urgent updates to Canada’s outdated privacy legislation. “Most of our health privacy laws were written for an era of paper records. They were not designed for the complexities of third-party digital data management,” she said.
Hardcastle also warned that so-called “de-identified” data is increasingly vulnerable to re-identification as artificial intelligence and big data analytics evolve. “What we thought was safe 10 years ago may no longer be private today,” she added.
The Office of the Privacy Commissioner of Canada declined to comment directly on the study, but reiterated that all entities subject to privacy laws are required to safeguard personal information. Ontario’s privacy commissioner acknowledged that health data has become a valuable commodity and emphasized the need for “greater accountability” in how de-identified data is sold and handled after transfer.
The commissioner’s office is advocating for reforms, including mandatory risk assessments and additional safeguards when personal health information is involved.
For concerned patients, experts recommend asking your healthcare provider about its privacy policy, and if needed, filing complaints with provincial or federal privacy commissioners. Citizens are also encouraged to lobby lawmakers to modernize Canada’s health data laws and close the gap between legal loopholes and modern digital risks.
As more health records move online and into corporate hands, the study serves as a stark reminder that privacy in health care may be less secure—and more commercialized—than many Canadians assume.