Amazon’s $3.9 billion One Medical acquisition is already raising data privacy concerns

By Clint Rainey

July 21, 2022

Amazon announced on Thursday that it’s buying One Medical, the subscription-based primary-care provider, in a $3.9 billion all-cash deal—one of its largest acquisitions to date.

The purchase grows Amazon’s footprint in healthcare considerably—a goal Jeff Bezos first set back in 2018, the year he and Warren Buffet and Jamie Dimon launched Haven, an Amazon-Berkshire Hathaway-JPMorgan Chase mega-venture, created to solve America’s healthcare woes. That effort fizzled out in 2021; but Amazon has stayed busy since, unveiling Amazon Care, its in-house primary- and urgent-care service for employees, and acquiring the pharmacy service PillPack.

For now, Amazon says it has only entered into a definitive merger agreement with One Medical, meaning the deal hasn’t closed yet. Those details, though, won’t stop this from representing an epic new layer of service bundling: Amazon, your online marketplace, grocer, streaming service, smart-speaker provider, and cloud-computing service, is soon to be your brick-and-mortar healthcare clinic, too. With One Medical, Amazon will get a practice consisting of over 180 offices in two dozen U.S. cities that partners with another 8,000-plus companies to provide their employees a variety of health benefits, everything from in-person to virtual care.

Around since 2007, One Medical comes with a loyal customer base, though a number of them immediately took to social media Thursday morning to raise alarms over what Amazon’s acquisition could mean for their private medical data.

Polling has generally shown that consumers are wary of large tech companies with regard to data privacy, although Amazon also often ranks among the world’s most-liked brands.

All the tech giants possess untold amounts of data on billions of people. It stretches back years and can contain everything from sensitive private messages to users’ personal interests and political affiliations. Governments and police departments are increasingly interested in tapping into these data goldmines. But One Medical layers on so-called protected health information—an issue that is newly in the spotlight since the overturning of Roe v. Wade. The potential for states to prosecute people for seeking abortion care has been causing concern for some customers, privacy advocates, and public health officials.

Concerns about how Amazon intends to protect this specific kind of medical data have been brewing since the Supreme Court’s decision last month. Following its release, an internal petition demanding that Amazon respond more forcefully to Roe‘s overturning collected thousands of signatures. Questions were raised about whether users’ Alexa voice data is subpoenable, and if Amazon’s own healthcare programs would continue providing customers with abortion care or emergency contraception.

Then this past Tuesday, six Democrats—representatives Lori Trahan, David Cicilline, Yvette Clarke, Debbie Dingell, Adam Schiff, and Sean Casten—sent Amazon a letter asking for it to describe what it’s done to protect privacy since Roe was overturned. “What steps, if any, has your company taken . . . to protect the privacy rights of those seeking to exercise their reproductive rights?” their letter asked. “Who is authorized or can be authorized to access the data you collect?”

In response to Fast Company‘s request for comment, an Amazon representative stressed that it’s too early to comment on specific policy changes or contractual language since these things could still change. “The deal is not closed, and nothing is changing today,” the representative said.

Still, the deal won’t change One Medical’s obligations to comply with HIPAA and other applicable laws, Amazon noted. “Customers’ Protected Health Information is protected by Amazon’s practices and by law, including HIPAA, and we will retain our focus on this as we continue to grow our healthcare businesses, including the acquisition of One Medical.”

The company did not respond to a question about whether customers’ protected health information could still be turned over to government or law enforcement.

(59)