When participants enroll in Alzheimer’s disease clinical trials, they generate extensive medical data—cognitive test scores, brain imaging scans, blood biomarkers, genetic information, and detailed medical histories. What happens to all this information after the trial concludes is governed by a strict framework of federal regulations, privacy protections, and sponsor policies that most participants never see. Test data from Alzheimer’s trials is retained for specific periods mandated by law (typically 6-25 years depending on the data type and regulatory pathway), securely stored under HIPAA and FDA rules, and may be archived for future research, destroyed after retention periods expire, or de-identified and shared with other researchers—with participant data generally protected from public disclosure.
The handling of Alzheimer’s test data reflects the tension between advancing medical science and protecting individual privacy. Participants must provide informed consent for how their data will be used, yet many don’t fully understand that their data may exist in multiple copies across trial sponsors, contract research organizations, regulatory agencies, and data repositories for decades after the trial ends. Understanding what happens to this data matters because it affects not only privacy and data security but also the future trajectory of Alzheimer’s research and potential treatments.
Table of Contents
- How Is Alzheimer’s Test Data Managed During Active Clinical Trials?
- Regulatory Data Retention Requirements and Long-Term Storage
- What Happens to Data When an Alzheimer’s Trial Ends or Is Terminated Early
- Participant Privacy Rights and Data Access
- Data Security Risks and Breach Scenarios
- De-Identification, Data Sharing, and Secondary Research
- What Sponsors Do with Data After Regulatory Approval
How Is Alzheimer’s Test Data Managed During Active Clinical Trials?
During an active Alzheimer’s trial, participant data flows through multiple systems with different security requirements. Cognitive assessments like the Mini-Cog or Montreal Cognitive Assessment are entered into electronic data capture (EDC) systems, which are password-protected and audited for compliance with FDA 21 CFR Part 11 standards—the federal regulation governing electronic records in clinical research. brain imaging files (MRI, PET scans) can be enormous (hundreds of megabytes per scan) and are typically stored in separate, encrypted repositories with restricted access. Blood work results, genetic data, and biomarker information are often maintained in clinical laboratories under CLIA certification (Clinical Laboratory Improvement Amendments), which is a different but overlapping regulatory regime.
The data is also redundantly backed up. By regulation, trial sponsors and contract research organizations must maintain copies of all participant records, with many keeping multiple versions on separate servers in geographically distinct locations. This redundancy protects against data loss but means your Alzheimer’s test data may exist in four or five separate secured systems simultaneously—the trial site’s internal records, the sponsor’s central database, the backup system, the regulatory database (FDA requires submission of trial data), and potentially cloud storage. All of these must comply with HIPAA’s Security Rule (45 CFR Part 164), which mandates encryption in transit and at rest, access controls, audit logging, and annual risk assessments. Importantly, if a trial site or sponsor experiences a breach affecting 500 or more residents of a state, they must report it to the HHS Office for Civil Rights and notify participants—a breach that happened in a large Alzheimer’s trial would become public knowledge.
Regulatory Data Retention Requirements and Long-Term Storage
Federal law does not specify a single universal retention period for clinical trial data; instead, the requirement depends on the type of data and the regulatory pathway. The FDA’s general guidance, based on ICH E6(R2) (International Council for Harmonisation Good Clinical Practice guideline), requires that trial data be retained for at least 2 years after marketing approval or final regulatory decision—but this is a minimum. Many Alzheimer’s trials involve older drugs or investigational compounds, and retention often extends to 5, 10, or even 25 years. For example, if a trial is supporting a new Alzheimer’s drug application to the FDA, the FDA may retain regulatory authority over the data for the life of the approved drug, which could mean 20+ years. Biogen’s aducanumab (Aduhelm) trial data, submitted for FDA approval in 2020, would be retained well into the 2040s under current regulations.
De-identification and long-term archival create additional complexity. Researchers may permanently de-identify Alzheimer’s test data so it can be freely shared with other scientists—stripped of names, birthdates, medical record numbers, and other direct identifiers—but they must do so carefully. The HIPAA Safe Harbor method requires removing 18 categories of identifiers, but even de-identified data can sometimes be re-identified if researchers compare it to public databases or genetic information. Once de-identified, data can be retained indefinitely, and it commonly is—the National Alzheimer’s Coordinating Center (NACC), funded by the NIH, maintains de-identified data from thousands of participants in Alzheimer’s studies going back decades, allowing new researchers to mine this historical data for new insights. A limitation of long-term retention is that older data may become less useful as diagnostic criteria and imaging standards evolve; cognitive scores from 2000 are harder to compare to scores from 2024 because testing methods have changed.
What Happens to Data When an Alzheimer’s Trial Ends or Is Terminated Early
The fate of participant data depends on whether the trial succeeded, failed, or was stopped early, and what the trial sponsor decides to do. In a successful trial, the data becomes part of the regulatory submission package to the FDA, which means the data is now held in government archives and subject to the Freedom of Information Act (FOIA)—though identifying information is typically redacted before release. When Eli Lilly completed its Phase 3 trials for lecanemab (Leqembi), a new Alzheimer’s treatment approved by the FDA in 2023, millions of pages of trial data were submitted to the FDA and entered the public record (in redacted form). Participants in that trial cannot prevent their data—even de-identified—from potentially being released under FOIA to researchers, journalists, or companies analyzing the drug’s safety profile.
If a trial is terminated early due to futility (the drug didn’t work) or safety concerns, sponsors typically retain the data for the same regulatory periods as completed trials. When the aducanumab trial faced enrollment challenges and early termination hints in 2019-2020, Biogen maintained all participant data, and regulators required them to continue storing it because it still informed the regulatory decision about whether to pursue approval. Participants in terminated trials generally have the right to request their individual data or to request that their data be destroyed, but the process varies by sponsor and institutional review board (IRB). The requirement to honor destruction requests exists in theory but is inconsistent in practice; some sponsors honor destruction requests immediately, while others argue they cannot comply if the data has already been de-identified and merged into research databases.
Participant Privacy Rights and Data Access
Participants in Alzheimer’s trials have legal rights regarding their data that are often poorly explained. Under HIPAA’s Privacy Rule, a participant can request a copy of their own health information, including all trial-related cognitive test scores, imaging results, and medical history, typically within 30 days. However, this right has exceptions: researchers can withhold information if they believe disclosure would harm the participant (e.g., explaining that imaging shows early brain atrophy might cause psychological distress), though this exception is narrowly construed. Participants also have a right to request amendment of their records if they believe data is inaccurate, though researchers can deny the amendment if they dispute the inaccuracy.
Participants do not, however, have a broad right to prevent their de-identified data from being used in future research or shared with other institutions. The informed consent form signed at trial enrollment typically includes language authorizing the sponsor to use data for regulatory submissions, future research, and publication. Withdrawing from a trial does not automatically withdraw consent for data use; that requires a separate request and is not uniformly honored across institutions. A comparison: if you participate in an Alzheimer’s trial in 2024, your de-identified cognitive scores might be used in a different study analyzing predictors of progression in 2030, and you may never be informed of this secondary use. This is permissible under the Common Rule (45 CFR Part 46) if the data is de-identified, but it represents a limitation on individual control that participants rarely understand when they enroll.
Data Security Risks and Breach Scenarios
Despite robust regulatory requirements, breaches of clinical trial data do occur. Trial sites and sponsors vary widely in their implementation of HIPAA security controls; a small site might store login credentials on sticky notes, while a major pharma sponsor maintains military-grade encryption. The Office for Civil Rights has investigated numerous breaches involving clinical trial data. In 2021, a healthcare system involved in Alzheimer’s research experienced a ransomware attack affecting trial records from several hundred participants; the organization paid a settlement and implemented additional security measures.
The risk is heightened for older trials whose data is maintained on legacy systems with poor security posture—data from Alzheimer’s trials conducted in the 1990s and 2000s may be stored on systems that pre-date modern encryption standards. A specific limitation of current data protection is that genetic and biomarker data from Alzheimer’s trials can pose unique privacy risks. If an Alzheimer’s trial includes APOE genetic testing (the strongest genetic risk factor for late-onset Alzheimer’s), this information can be used to predict disease risk, and some insurers have theoretically sought such data to inform coverage decisions (though federal law currently prohibits genetic discrimination in health insurance). Participant data from trials may also be subpoenaed in legal proceedings, such as disability claims or criminal cases, and although clinical data has some legal protections, complete confidentiality is not guaranteed. The scenario of trial data being used for purposes beyond medical research—law enforcement, immigration proceedings, insurance underwriting—is remote but possible.
De-Identification, Data Sharing, and Secondary Research
De-identification is the most common pathway for Alzheimer’s trial data to support future research without ongoing consent. The NIH National Alzheimer’s Coordinating Center (NACC) maintains a repository of de-identified cognitive, neuroimaging, and biomarker data from over 30,000 participants in various Alzheimer’s studies. Researchers worldwide can access this data to answer new research questions—for example, a 2023 study used historical NACC data to identify biomarker patterns that predict cognitive decline, potentially years before symptom onset.
This secondary use would never have been possible if all participant data had been destroyed at the end of the original trials. De-identification removes names, medical record numbers, dates of birth, and addresses, though dates of visit and age at visit are often retained to preserve temporal relationships in the data. A specific example: an Alzheimer’s trial that enrolled participants from 2010 to 2015 with follow-up visits might contribute de-identified data showing cognitive scores at visits in 2012 and 2014, with participant age (e.g., “age 73 at first visit”) but no birth date or identity.
What Sponsors Do with Data After Regulatory Approval
Once a new Alzheimer’s drug receives FDA approval, the trial data continues to have value and is often archived rather than destroyed. Sponsors maintain these datasets for pharmacovigilance (monitoring safety in real-world use), for post-marketing studies, and for competitive intelligence (understanding what efficacy they achieved helps competitors benchmark their own drugs).
Eli Lilly’s lecanemab trial database, for example, contains detailed information on cognitive decline trajectories, biomarker changes, and adverse effects in thousands of participants; this data informs ongoing monitoring and future trial design for newer drugs in development. The data is contractually restricted and not publicly released, but it exists and is regularly accessed by the sponsor’s research teams. A concrete detail: when the FDA approves a drug with conditions (like required post-marketing studies), the sponsor must retain the original trial data to support those studies, which can extend retention timelines to 10-15 years or longer.





