On the surface, a visit to the doctor’s office is one of the most private things we do. Our physician follows an oath of secrecy dating back to antiquity. If we need medicine afterward, only the pharmacist, whose professional code of ethics calls for confidentiality, will know the details.
Except it doesn’t really work that way.
The reality is that information you take to your doctor and your pharmacy gets widely bought and sold, usually without your knowledge or consent. The aggregated results of this trade are available to marketers and researchers, but not to you. Some of the data will be used for noble ends, like helping researchers cure diseases and improve public health. Some of the data will be used for less elevated ends, like helping pharmaceutical companies hawk their products more effectively. And some of the data will be used for purposes we cannot imagine, because we have no information or legal say in the matter. It is all part of an immense hidden market for your intimate information.
Consider what happens if you’re a male patient buying a dose of Viagra. If the drug is covered by insurance, you pay only a small fraction of the total cost, and the rest comes from your insurer. To receive that payment, the pharmacist enters your details into a computer, which then delivers the data to what is called a pharmacy benefit manager, or PBM. This is an entity that acts as a claims processor, contacting the patient’s insurance company, confirming the co-pay amount, and approving the transaction. Then the pharmacy dispenses the drug.
So far, you have personally encountered only your doctor and your pharmacist. But the PBM that transmits the data has now learned that you suffer from erectile dysfunction, as has your insurance company. Sometimes other middlemen, such as the company running the pharmacy’s computer database, will find out as well. If your record of Viagra purchasing is sold off to an outside buyer, it will be stripped of your name and other identifiers, but information such as your year of birth, gender, partial postal code, and doctor’s name will typically remain.
How the middlemen make use of their records on your erectile dysfunction—or records on anything else—is something they keep secret, but most PBMs, of which the largest are Express Scripts and CVS Caremark, routinely sell data to commercial data aggregators. “Pretty much everyone who is in the business has some sort of supply arrangement for de-identified prescription data,” says Per Lofberg, executive vice president of CVS Caremark. “CVS Caremark is one of the providers of data into that marketplace.”
Lofberg’s degree of openness is rare. I’ve been researching medical privacy for several years and reached out to retailers such as Walgreens, Walmart, Publix, Costco, Ahold (whose brands include Stop & Shop and Giant Food Stores), Sears, Safeway, and Sam’s Club. All declined to comment. Representatives at Rite Aid had a variety of answers. “Rite Aid does not sell any customer information as we value our customers’ privacy,” one Rite Aid customer representative wrote me in an email. Andrew Palmer, vice president of compliance monitoring, told me that Rite Aid does sell such information, “in much the same way as others do.” Twenty minutes later, I heard back from the office assistant for Dan Miller, the senior vice president of pharmacy operations. He declined to answer the same question. Kroger stood apart in candor by confirming that they do indeed sell anonymized information to data aggregators.
All of this has been going on for decades. As far back as the late 1940s, forward-thinking entrepreneurs were obtaining invoices from pharmacists and doctors, gathering up sales data and demographic information (age and sex of the customer, for instance) to sell to pharmaceutical companies. The business became even bigger in the decades that followed. Today, the biggest of these companies, IMS Health, purchases records from doctors, from drugstores, from hospitals, and from insurance companies, annually harvesting more than 45 billion transactions across 100 countries. As of November 2014, IMS had records of more than half a billion people worldwide, up from 60 million in May 2011. They know about your health conditions, sometimes in more detail than even you have at hand.
One of the key factors driving the trade in health data is the desire among pharmaceutical companies to target their sales efforts to specific doctors. If a drug company knows that Dr. Parker hates its brand and its pills, then it won’t waste its time pitching new products to him. If, on the other hand, Dr. Smith prescribes everything that is sent her way, provided that sales reps buy her lunch, a company will make sure to target her whenever it releases a new drug. At a pharmacy convention in Boston, Doug Long, IMS vice president of industry relations, told me, “We make health care more efficient by identifying the doctors worth calling on for a particular manufacturer.”
Drug companies have many other uses for the data, too. For instance, marketers that are armed with data become able to target online ads to people with specific ailments, by matching anonymized prescription data to other commercial databases with general demographic information. For instance, if you’re suffering from diabetes, you might see advertisements for a new treatment pitched to diabetes sufferers. It’s not that the marketers know that you, specifically, have diabetes. But they know you are more likely than most people to have it, something they can see from impersonal data algorithms. The effect of this can be invasive. While data-driven guesswork is used for all sorts of marketing, from shoes to resort vacations, the targeting becomes troubling the closer it gets to our intimate health conditions.
Perhaps you thought that HIPAA, the U.S. Health Insurance Portability and Accountability Act, which has been in effect for more than a decade, was protecting your privacy. And it is protecting you, up to a point: If your name is included, your information cannot be shared without your consent. The trouble is that if your name is removed, consent is not required. Your anonymous data can become someone else’s property. And how anonymous is that data really? For a 1997 working paper, Latanya Sweeney, now a professor at Harvard University, used anonymous hospital exit records (which were available to researchers) and voter registration rolls to identify William Weld, then the governor of Massachusetts. In 2013, she showed that it was possible to identify many anonymous volunteers in the Personal Genome Project.
Defenders of current practices might say that only hyper-experts such as Sweeney are able to identify patients in anonymous records. But I am no computer scientist, and I was able to do the same sort of thing that Sweeney did. While researching my recent book, What Stays in Vegas, I tried to identify three Personal Genome Project volunteers by using nothing but their date of birth, ZIP code, and gender. Cross-referencing those details against a commercially available database of all Americans, I quickly found all three and gave each a call. “I didn’t realize it would be so ridiculously easy,” one of them told me.
Kimberly Gray, the chief privacy officer at IMS, concedes that, as anonymous patient dossiers grow more extensive, it may be possible to figure out who is who. “I don’t care how anonymous you make something. Someone, somewhere, somehow can probably figure out how to break into that,” Gray told a 2014 conference. “But it’s not easy, and at some point I think we have to accept that there is a little bit of risk in everything.”
The reason we should accept that risk, according to Tor Constantino, the global PR director of IMS, is that data aggregation can improve health outcomes. Constantino sent me a bibliography of 175 articles for which researchers had made use of IMS data and wrote, “As a global leader in protecting patient privacy, IMS Health uses anonymous healthcare data to deliver critical real-world disease and treatment insights.”
There is no doubt that big data about patients and treatment outcomes will lead to new breakthroughs and insights in medicine. Yet the vast scope of that same data also magnifies the consequences of any ruptures. So far, IMS and its rivals have not been linked to huge data breaches, but other organizations haven’t been so lucky. More than 41 million people were affected by U.S. health record breaches from 2009 to the end of 2014, according to data from the U.S. Department of Health and Human Services. Then, in January of this year, Anthem Health announced that much of its patient data, including employment and income information on nearly 80 million people, had been compromised in a hacking attack the month before. Anthem was just lucky that the spill wasn’t worse. If your bank account gets breached, your bank can restore any pilfered funds. If your health records go public, no one can restore your privacy.
There is no perfect way to balance the competing priorities of using big data for improved health outcomes and protecting our personal information. Opinions on which interests should come first will differ—and should. But the debate cannot be open, honest, or effective if major companies like Walgreens or Safeway are secretive about what they do. People are often generous when it comes to volunteering personal data for the purpose of advancing medicine. They are less so when it comes to enriching sellers of information. Either way, the proper course of action is disclosure. Simply put, if our medical data is being bought and sold, we deserve to know it—and have a say. Perhaps making our data available to others is as helpful to medicine as IMS claims. But shouldn’t that be up to us?
Reporting for this article was made possible by a grant from New York University’s Arthur L. Carter Journalism Institute.
Submit your response to this story to letters@psmag.com. If you would like us to consider your letter for publication, please include your name, city, and state. Letters may be edited for length and clarity, and may be published in any medium.
For more from Pacific Standard, and to support our work, sign up for our email newsletter and subscribe to our print magazine, where this piece also appeared. Digital editions are available in the App Store and on Zinio and other platforms.
