HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Your Name and Medical Condition in the Classified Ads

Your medical data, name and contact information could be online and up for sale. Legions of data miners are trawling the internet to unearth patient’s medical data and contact information to sell on to interested parties.

Even if you do not have any known diseases it does not make your health records and contact information safe, as was recently highlighted by 42-year old IT worker, Dan Abate.

His contact information was listed for sale along which stated he had registered interest in Diabetes, indicating he had or at least suspected he may have the condition. The reality was he has not, and never has shown “diabetes interest” yet his name was included in a list sold by Acxion (ACXM); one of the largest online data brokers operating in the U.S.

The data was purchased and resold by Exact Data and Dan’s name appeared online in the public domain in a sample of the data listed for sale. Medical databases are valuable to a broad range of companies and individuals from blue chip companies for direct marketing purposes to cybercriminals hoping to exploit their victims.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

As the volume of data being stored online has increased, the volume of data miners and scrapers has similarly risen. There are many individuals and companies looking to take advantage of easily available data and of its high value to marketers. While the practice in many cases is not illegal, the methods used to obtain data in some cases fall into a grey area with some individuals and companies using illegal data collection techniques.

Individual names and records can be sold for big bucks to the right buyers or names can be passed on for just a few cents. Highly confidential detailed medical information can be sold for surprisingly low amounts. Current values for details of Alzheimer’s or Parkinson’s sufferers are 15c per name while sufferers of erectile dysfunction are of higher value to marketers; being sold at 18.5 cents a name. Lists can contain hundreds of thousands of patients and millions of households in the US.

There are currently in excess of 1,400 companies involved in the sale of consumer data. In 2012 alone, $7 billion was spent by companies obtaining data for targeted direct marketing campaigns according to a study by the Direct Marketing Association and Acxiom recorded profits in excess of 1 billion in 2013.

The collection of consumer data has been happening for as long as data has been available online, however the move into the sale of medical data has left many people feeling the practice has crossed a line and gone too far. Data companies are not required to provide details of the purchasers of their data lists and the shroud of secrecy around the industry is causing great concern amongst privacy advocates, with U.S. Senator Jay Rockefeller recently stating “Consumers deserve to know who is profiting.”

The Federal Trade Commission has already stepped in and in May this year made recommendations to Congress to ensure consumers were informed how their data would be used and shared, and that appropriate protections should be put in place.

One problem is that while health care providers and organizations are bound by the legislation laid down in the Health Insurance Portability and Accountability Act, the legislation only covers health care providers, pharmacies, insurance companies and medical facilities. There are numerous ways by which medical data can be obtained legally, such as if the data was taken from a survey or online form by a third party company.

According to Pam Dixon, President of the not-for-profit advocacy group World Privacy Forum, no law would have been broken in the above case. Dixon says that “If a person reveals health information to a third party outside of the health-care context, that information doesn’t have any legal protection under HIPAA.”

In the case of Dan Abate, his inclusion on a list was believed to be after he took part in charity cycling events to raise money for the disease and his data was sold on, although he cannot be sure. His name and address was posted online, although Exact Data Chief Executive Officer, Larry Organ, has since ensured it was taken down. Dan’s name was part of a list that included many other categories of individuals with names, addresses and email addresses being sold on and the inclusion of his name and contact details in the online sample was due to an error.

There are many companies that collect data for resale and are open about the practice, even rewarding consumers for giving up their private information. Epsilon (ADS) collects data via the Shopper’s Voice Survey, which now has over 54 million households in the U.S in its database. In exchange for completing the survey participants are offered discount vouchers and prizes. The company offers its lists and specific data on individuals to companies for marketing purposes. Its database contains 146,000 records of households with a sufferer of Parkinson’s disease and 41,000 ALS sufferers.

Other companies are offering data in similar volumes or in the case of KBM, one of the biggest companies offering access to consumer data, information on 82 million households collected by third party data mining companies. The company uses this data internally in addition to supplying clients with information for targeted direct marketing campaigns.

Beach List Direct has a database available at 15 cents a name for senior citizens suffering from a wide range of conditions. The data is sold to marketers allowing them to target very specific subsets of people to get the maximum return for their marketing budget.

Pharmaceutical companies are able to specifically target patients with a particular disease rather than using mass market advertising techniques to reach just a tiny subset of the population. Drug companies looking to provide specialist treatments for conditions must be able to identify the sufferers of those conditions to be able to sell their products and keep profits high.

As long as data is available on consumers there will be many buyers looking to use that data to help sell products and services and appropriate controls must be put in place to protect the privacy of consumers as far as is possible.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.