It didn’t take the spectacular hacking of Sony computers for consumers to be aware that their privacy is at risk every time someone new gets some of their data. Hackers attack everywhere—financial institutions, retailers, government, universities, medical institutions—and security precautions don’t seem up to the task.

On Tuesday, the nonprofit public interest group Consumer Watchdog warned people not to participate in the health information exchange being set up by Blue Shield of California and Anthem Blue Cross that will gather and store a range of medical records for fast access by interested parties. It will be the largest such exchange in the country.

The group listed 10 concerns about the project, not the least of which is that customers of those insurance companies are automatically included in the system unless they proactively opt out. “The best privacy protection for now is to opt out,” the group’s privacy project direct John M. Simpson said. “You can always opt in when they make it clear what the benefits and protections will be.”

The insurance companies announced in August they were implementing a system that would potentially house all the records of their 9 million California customers. Information is already being assembled in the California Integrated Data Exchange (Cal Index) and notices began going out in October, “introducing a powerful new way for your healthcare team to access your medical information securely.”

Consumer Watchdog was wary of the power and dubious of the security claim. But first, the group would like the insurance companies to spell out their policy on privacy. Right now, the website says, “Cal INDEX will have a Chief Privacy Officer and full privacy and security policy/standards in place when it is operational later this year.”

The group wants to know: if customers will be able to see their information stored in the database; who are the providers of information; who has access to the data; how is incorrect information fixed; if someone opts out and their medical provider does not, are they still in? Can you have information removed if you opt out? Will insurers use this information for any purposes other than providing information to medical providers?

The exchange was set up with $80 million in seed money from the two insurers, but the plan is for customers to foot the bill after three years.

So far, the opt out policy has worked about the way opt out policies work. Few have exercised the option. Cal Index Chief Executive David Watson, who used to work at Oracle Corp., told the Los Angeles Times that fewer than 1% of the 4 million notices sent to consumers ended in opt out.

Part of that response may be a willingness, perhaps even enthusiasm, for being part of a high-tech system that could save time, money and lives. But the response might have been different if the letter was entitled “Opt Out Notice” and people received a balanced presentation of the system’s pros and cons.

Instead, one has to flip the page of its one-sided promotion to read about the customer option. The exchange is expected to be operational in the first quarter of 2015.

–Ken Broder  

To Learn More:

Health Database Cal Index Must Address Privacy, Consumer Group Says (by Chad Terhune, Los Angeles Times)

Privacy Alert: Consumer Watchdog Urges Public to "Opt Out" of Cal INDEX Electronic Health Information Exchange (by John M. Simpson and Carmen Balber, Consumer Watchdog)

Get Ready for Cal Index! It’s More Revolutionary Than It Sounds (by John Connolly, Insure the Uninsured Project)

California Insurers Announce Largest Health Information Exchange in the US (World Privacy Forum)

Data Breaches Affect Nearly Half of California’s Residents (by Ken Broder, AllGov California)