Amazon’s $3.9 billion One Medical acquisition is already raising data privacy concerns

Amazon announced on Thursday that it’s buying One Medical, the subscription-based primary-care provider, in a $3.9 billion all-cash deal—one of its largest acquisitions to date.

The purchase grows Amazon’s footprint in healthcare considerably—a goal Jeff Bezos first set back in 2018, the year he and Warren Buffet and Jamie Dimon launched Haven, an Amazon-Berkshire Hathaway-JPMorgan Chase mega-venture, created to solve America’s healthcare woes. That effort fizzled out in 2021; but Amazon has stayed busy since, unveiling Amazon Care, its in-house primary- and urgent-care service for employees, and acquiring the pharmacy service PillPack.

For now, Amazon says it has only entered into a definitive merger agreement with One Medical, meaning the deal hasn’t closed yet. Those details, though, won’t stop this from representing an epic new layer of service bundling: Amazon, your online marketplace, grocer, streaming service, smart-speaker provider, and cloud-computing service, is soon to be your brick-and-mortar healthcare clinic, too. With One Medical, Amazon will get a practice consisting of over 180 offices in two dozen U.S. cities that partners with another 8,000-plus companies to provide their employees a variety of health benefits, everything from in-person to virtual care.

Around since 2007, One Medical comes with a loyal customer base, though a number of them immediately took to social media Thursday morning to raise alarms over what Amazon’s acquisition could mean for their private medical data.

Amazon has spent the last five years methodically squandering the Earned Trust needed for customers to embrace an acquisition like this.

This is disappointing along multiple axes. My cancellation request has been submitted to @onemedical.

— Corey Quinn (@QuinnyPig) July 21, 2022

I’m going to need an explainer and explicit contract around what data Amazon will/will not have access to from One Medical. This feels like a big yikes from a privacy standpoint. Love One Medical, but I’m probably out… https://t.co/htw0UwUGmJ

— Teri Hoffman (@Tornado_Teri) July 21, 2022

Polling has generally shown that consumers are wary of large tech companies with regard to data privacy, although Amazon also often ranks among the world’s most-liked brands.

All the tech giants possess untold amounts of data on billions of people. It stretches back years and can contain everything from sensitive private messages to users’ personal interests and political affiliations. Governments and police departments are increasingly interested in tapping into these data goldmines. But One Medical layers on so-called protected health information—an issue that is newly in the spotlight since the overturning of Roe v. Wade. The potential for states to prosecute people for seeking abortion care has been causing concern for some customers, privacy advocates, and public health officials.

One Medical currently has healthcare locations in Georgia, Texas, Ohio, and Arizona — all states we can expect will prosecute pregnant people for abortions or adverse pregnancy outcomes. So you can maybe see why Amazon having their medical data is, perhaps, not going to be safe! https://t.co/oK1CkbwcSY

— Robyn Swirling (@RSwirling) July 21, 2022

Concerns about how Amazon intends to protect this specific kind of medical data have been brewing since the Supreme Court’s decision last month. Following its release, an internal petition demanding that Amazon respond more forcefully to Roe‘s overturning collected thousands of signatures. Questions were raised about whether users’ Alexa voice data is subpoenable, and if Amazon’s own healthcare programs would continue providing customers with abortion care or emergency contraception.

Then this past Tuesday, six Democrats—representatives Lori Trahan, David Cicilline, Yvette Clarke, Debbie Dingell, Adam Schiff, and Sean Casten—sent Amazon a letter asking for it to describe what it’s done to protect privacy since Roe was overturned. “What steps, if any, has your company taken . . . to protect the privacy rights of those seeking to exercise their reproductive rights?” their letter asked. “Who is authorized or can be authorized to access the data you collect?”

In response to Fast Company‘s request for comment, an Amazon representative stressed that it’s too early to comment on specific policy changes or contractual language since these things could still change. “The deal is not closed, and nothing is changing today,” the representative said.

Still, the deal won’t change One Medical’s obligations to comply with HIPAA and other applicable laws, Amazon noted. “Customers’ Protected Health Information is protected by Amazon’s practices and by law, including HIPAA, and we will retain our focus on this as we continue to grow our healthcare businesses, including the acquisition of One Medical.”

The company did not respond to a question about whether customers’ protected health information could still be turned over to government or law enforcement.