Palantir’s collection of disease data at CDC stirs concerns

PATIENT PRIVACY

Plans to consolidate info raises questions

By Apoorva Mandavilli

New York Times

The Centers for Disease Control and Prevention’s plans to consolidate data on diseases like measles and polio are raising concerns about patient privacy, delays in spotting long-term trends and ways the Trump administration may use the information.

The agency told state officials this week that it would shift disease information to a new system managed by Palantir, the data analysis and technology firm co-founded by Peter Thiel.

The change is not entirely unexpected. The COVID pandemic revealed that the CDC’s data systems were antiquated, hobbling the country’s response in the crucial early months. A plan to modernize and consolidate the agency’s data systems began during the Biden administration.

But news that the Trump administration has expanded Palantir’s work across the federal government in recent months, allowing it to compile detailed information about Americans, has introduced a new layer of anxiety and mistrust among state and local officials about sharing data with the CDC.

Palantir’s systems, including those at the CDC, rely on a platform called Foundry that could merge information from different agencies. The Department of Health and Human Services, the Food and Drug Administration and the National Institutes of Health all use Foundry.

Some officials worry that a sprawling data collection system could expose or endanger people with sensitive health needs, like gender care, reproductive health care or disabilities. Some labor and other advocacy groups have tried to block the Trump administration from sharing data across agencies.

“We are very supportive of modernization of our public health data systems, but the revelations of possible misuse and abuse of these efforts are very concerning,” said Dr. Philip Huang, director of Dallas County Health and Human Services in Texas.

Andrew Nixon, a spokesperson for the Department of Health and Human Services, said the move was an effort to leave behind “siloed, redundant data systems and tools.”

Nixon said the transition to a new data platform “is about modernizing outdated public health infrastructure — not compromising data privacy.”

Health care providers are required to report cases of certain diseases, called nationally notifiable diseases, to their local or state health departments. The list of notifiable diseases is long, from sexually transmitted diseases like syphilis to measles, tuberculosis and polio.

States can decide how much of the data to share with the CDC. The agency then provides the numbers, updated weekly, as well as finalized annual data.

In an email dated June 3 that was obtained by The New York Times, Dr. Jen Layden, a CDC official, told states and jurisdictions that the notifiable diseases surveillance system would migrate to the new One CDC Data Platform, or 1CDP.

That means the agency will have to postpone the release of annual data for 2024 until next year, along with the 2025 data, according to the email.

Health officials should still be able to review data about current outbreaks. But a clear picture of annual data is essential for identifying regions of concern, flaws in how outbreaks were handled and planning future public health responses, some experts said.

“With multiple serious outbreaks occurring throughout the U.S., it is completely unacceptable to delay notable disease reporting,” said Jennifer Nuzzo, director of the Pandemic Center at Brown University.

Nuzzo and others welcomed modernizing and streamlining the agency’s outmoded, multiple data systems. Understaffed state health departments spend enormous time and resources submitting data to each one separately.

“There’s a huge need to move toward a more consolidated way of evaluating population health as well as individual health and risk,” said Dr. Anne Zink, who was Alaska’s chief medical officer until August.

The agency has worked with Palantir systems since 2010, and this particular move has been discussed for at least a year. Still, the decision to transfer the data now was abrupt and took state officials and many CDC staff members by surprise.

States are not required to share their data with the CDC, which has at times, including at crucial points during the pandemic, impeded the agency’s ability to understand what was happening nationally.

State officials sometimes have good reason to be hesitant. The data shared with the CDC is de-identified, meaning it does not include names and addresses. But it may include birth dates, ages, ZIP codes and dates of hospitalization. In states with smaller populations like Alaska or Vermont, that information alone may be enough to reveal a patient’s identity.

“CDC remains fully committed to protecting sensitive health information and will continue to work closely with states to ensure data is handled securely, transparently and in accordance with all federal privacy laws,” Nixon said.

Some CDC officials said they were worried that local and state departments would stop sharing data, especially as the administration has slashed the funds that the agency has typically sent to those partners.

If states withhold crucial details, the national picture of infectious threats will be incomplete, or even inaccurate, some experts said.

“Unless federal agencies can provide credible assurances the data will be used appropriately and that privacy will be maintained,” Nuzzo said, “there will be no disease reporting in the U.S.”