What if a complete stranger could know detailed information at any time about the prescription drugs you take to treat a health condition? Would you be embarrassed?
What if 1,000 complete strangers could know this information at any time? What if they knew why you took the drugs? How far the pharmacy was located from your home? Whether you used cash instead of a credit card?
That’s the kind of sensitive patient information the powerful U.S. Drug Enforcement Administration wants to begin collecting in a new nationwide dragnet initiative that affects untold millions of Americans.
Authorities say the Big Data program is limited only to “controlled substances.” But the federal government classifies hundreds of drugs that way, not just opiates.
Federal drug enforcers believe they can ease the effects of the opioid crisis by vacuuming up massive troves of data on all patients prescribed controlled substances by doctors and analyzing the data for patterns of suspicious or criminal behavior.
Civil rights advocates say it’s another behemoth database containing highly sensitive personal data that the government wants to fish for evidence of crime. Such systems, critics say, turn masses of innocent Americans into targets for unwarranted government attention.
1,000 eyes watching
The DEA says in newly released contracting documents that it wants access to a minimum of 85 percent of all written and/or filled drug prescriptions in the United States of controlled substances. It also wants over 1,000 of the DEA’s employees to be able to access the data simultaneously at any time if necessary.
Authorities insist they would initially conduct deep searches only of “de-identified” data stripped of personally identifying information. But the private company managing the system would have to provide identifying details within three days of receiving a simple administrative subpoena.
Administrative subpoenas have already been sharply criticized in the media for using a much lower legal standard than a probable-cause search warrant approved by an independent judge. Administrative subpoenas also make it far more difficult for the public to know what the government is doing with sensitive personal data and whether what they’re doing with it even benefits the public interest.
The concept of this kind of database is not new. Many States already have their own prescription drug monitoring programs, including Oklahoma. The DEA is envisioning a database that reaches much further into the lives of everyday Americans, however.
“The idea that patient-level data is available to the DEA is quite frightening,” one public health expert told the news site Filter. “We don’t want to make people worry that their decisions will be monitored by this highly punitive federal agency.”
Why is the DEA doing this now?
The DEA says that the purpose of these efforts is to block the diversion of legitimate prescription drugs to illicit black markets. They point to pharmacists who falsify records and drugstore workers who steal inventory.
There’s no doubt bad actors exist. One such example - a single West Virginia pharmacy - diverted an astonishing nine million pain pills over two years.
Tens of thousands of people have died as a result of the opioid crisis over the last 20 years, many in Oklahoma.
But the Washington Post reached an astonishing conclusion in an investigation last year of the DEA’s past use of subpoenas to access patient data from individual states. Although the agency was swimming in data already, the Post found, it made little use of that data to stem the worst moments of the crisis.
Is it being challenged?
Civil rights advocates have at times unsuccessfully attempted to block states from compiling such patient data. In other cases, states themselves have gone to court in futile attempts to stop the DEA from accessing their patient data through subpoenas.
Many states had difficulties persuading drugstores and pharmacists to participate in monitoring programs by entering transaction information. As a result, many States promised that such databases would be used only to prevent “doctor-shopping” among drug-abusing patients.
The DEA has a much broader focus, however. So far, they’ve succeeded in aggregating patient data relatively unimpeded.
When the DEA was investigating two pharmacies in Colorado and demanded patient data without a warrant, state officials said no. They argued that the DEA’s “overly broad, undifferentiated demand for access would violate the Fourth Amendment right to privacy guaranteed to more than 14,000 patients whose medical data is at issue.”
Government lawyers representing the DEA countered that patients “do not have a constitutionally protected privacy interest under the Fourth Amendment in their prescription medical information.” A judge agreed.
In other cases, patients have challenged their inclusion in dragnet databases. A judge initially agreed with the transgender plaintiffs in one Oregon case taken up by the American Civil Liberties Union. “It is difficult to conceive of information that is more private or more deserving of Fourth Amendment protection,” the judge wrote. The victory was short lived, with the case being overturned on appeal.
A troubled DEA history
The DEA has a long and worrisome history of abusing enforcement databases. The agency created a firestorm in 2015 when evidence emerged that it had secretly compiled logs for years of nearly every single phone call leaving the United States. The system intercepted all outbound calls to more than 100 countries considered to be linked to drug trafficking.
So impressive was the breadth of the database that it became the blueprint later used by the National Security Agency during the war on terror to analyze bulk phone records. The NSA’s own massive dragnet was similarly blasted by critics when it became public.
After details of the DEA’s phone records scandal were publicized, the Inspector General began investigating its prolific use of administrative subpoenas.
In a final report, the watchdog said the DEA was vacuuming up data in bulk “without making a prior finding that the records were […] ‘relevant or material’ to any specific, defined investigation.” The Inspector General called the conduct “troubling.”
Not only that, breaches of government data are a common occurrence in the digital age. Can the DEA even ensure that your patient data won’t get hacked? According to bid documents, the contractor is required to notify you if your patient records are accidentally spilled onto the internet. But there’s a catch. The DEA gets to decide first if letting you know would compromise an ongoing investigation.
The dragnet is widening
The two drugs you’re likely most familiar with from media coverage of the opioid crisis are hydrocodone and oxycodone.
But Federal and Oklahoma laws divide “controlled substances” into five categories from the most-to-least dangerous. The combined list is hundreds of entries long, and the DEA wants data on them all.
A Schedule V controlled substance is considered the least harmful and includes everyday medications like cough syrup, the seizure treatment drug Lyrica, and the anti-diarrhea medication Lomotil. Schedule I includes drugs that federal law enforcers consider the most dangerous. This includes marijuana, heroin, ecstasy, and LSD.
Within these schedules are hundreds of drugs you may never have known were “controlled” by the government. Maybe you’re one of the millions of Americans who takes Ritalin or Adderall for attention deficit disorders. Or maybe you’re a transgender person taking testoterone. Maybe you’ve been prescribed Tylenol with Codeine for pain, Xanax or Valium for anxiety, or Spravato for depression. These are all “controlled.”
And it doesn’t end there. The DEA says in contracting documents that it may want to add new drugs to the database not currently on the list of controlled substances. The chances are growing everyday that you or someone you will know will be unknowingly swept up in the DEA’s ever-widening dragnet.