Sleep apnea sufferers reveal how insurers snoop on them through CPAP breathing machines

The IoT ecosystem is vast and diverse, spanning Internet-connected things from the tiniest smart toys to the largest smart-city appliances. Engineering-wise, these technologies differ immensely from one another, but they all share one trait – a “brain” that connects to the Internet.

Poorly configured, smart technologies can pose dangers that outweigh their intended benefits. An article by ProPublica tells the story of a certain Tony Schmidt, who was perplexed to discover that his CPAP machine designed to help with his sleep apnea was “spying” on him.

CPAP (continuous positive airway pressure) machines essentially blow warm air through a mask and into the user’s airway. The contraption is designed to combat sleep apnea, a condition characterized by repeated pauses in breathing or periods of shallow breathing during sleep. Because of the disorder, Schmidt hardly gets any shuteye at all.

“I couldn’t keep a job,” he said. “I couldn’t stay awake.” The machine saved his career, maybe even his life, he said. But the machine comes with caveats, as Schmidt and others like him would come to realize after using it. Health insurance companies track whether patients use them by demanding their doctor hand over the patient’s medical data. If the data says the patient is not using the device properly, or not enough, the insurers might not cover the machines or related supplies, such as replacement masks and filters.

Schmidt learned this the hard way. During an email exchange with the makers of the device, a report detailing Schmidt’s usage was attached.

“I had no idea they were sending my information across the wire.”

Schmidt’s machine was sending the data to his doctor over the air. He felt his privacy invaded and wondered what else all these parties were doing with his data. As an information technology specialist, he soon came to ask himself: Was the data even encrypted on its journey to the doctor? What about on route to the insurance company?

The problem, as it turns out, is the legislation – or lack thereof – surrounding smart medical devices versus the much stricter rules and regulations that allow insurers to request health data from customers. In the absence of tougher regulations that directly protect IoT users, insurers stand to gain. From the report:

In fact, faced with the popularity of CPAPs, which can cost $400 to $800, and their need for replacement filters, face masks and hoses, health insurers have deployed a host of tactics that can make the therapy more expensive or even price it out of reach.

Patients have been required to rent CPAPs at rates that total much more than the retail price of the devices, or they’ve discovered that the supplies would be substantially cheaper if they didn’t have insurance at all.

Experts who study health care costs say insurers’ CPAP strategies are part of the industry’s playbook of shifting the costs of widely used therapies, devices and tests to unsuspecting patients.

“The doctors and providers are not in control of medicine anymore,” said Harry Lawrence, owner of Advanced Oxy-Med Services, a New York company that provides CPAP supplies. “It’s strictly the insurance companies. They call the shots.”

Schmidt has since switched to a CPAP that can be used offline. He simply takes the removable memory card out of the device and takes it personally to his doctor for analysis. But Schmidt is not alone in his crusade against insurers’ collection of health data. Eric Umansky, who works at ProPublica as deputy managing editor, suffers from the same condition. His situation is so severe that his marriage depends on him using a CPAP machine.

In September, his doctor prescribed a new mask and airflow setting for his device. The medical supply company endorsed by his insurer sent him a modem that goes into the machine to let the company change the settings remotely if needed. His mask was yet to arrive when his insurance company decided it might not pay for it. The reason? Umansky had not been using his machine enough. The data was obtained through the very modem meant to give the supply company remote access.

“On Tuesday night, you only used the mask for three-and-a-half hours,” the insurer told Umansky on the phone. “And on Monday night, you only used it for three hours.”

“Wait — you guys are using this thing to track my sleep?” Umansky recalled saying. “And you are using it to deny me something my doctor says I need?”

The supplier had forwarded the information to his insurance company, UnitedHealthcare. In what could only be described as a vicious circle, Umansky hadn’t been using the machine enough because he was in dire need of the new mask.

“But his insurance company wouldn’t pay for the new mask until he proved he was using the machine all night — even though, in his case, he, not the insurance company, is the owner of the device,” the report reads.

The story also mentions the ironic case of one Alan Levy, an attorney whose law practice focuses on defending insurance companies in personal injury cases. He too needs a CPAP machine to sleep normally, but his hurdles primarily involve inflated pricing for device rental.

All in all, the report draws a concerning, or even grim, picture of the state of affairs in the IoT world. When lives are at stake, it becomes as clear as day just how important it is to have the right regulations in place. Even the insurers, whose unorthodox ways of boosting profits are undeniably impeachable, have the right to justify customer reimbursement by requesting client medical data. Studies show that about third of patients don’t use their CPAPs as directed.