Dan Abate doesn’t have diabetes, nor is he aware of any obvious link to the disease. Try telling that to data miners. The 42-year-old information technology worker’s name recently showed up in a database of millions of people with “diabetes interest” sold by Acxiom (ACXM), one of the world’s biggest data brokers. One buyer, data reseller Exact Data, posted Abate’s name and address online, along with 100 others, under the header Sample Diabetes Mailing List. It’s just one of hundreds of medical databases for sale to marketers.
As the population ages and consumers share more health data about themselves online, a burgeoning industry of data miners has emerged, scooping up often-personal medical data and selling it to marketers. While that’s a boon for companies trying to pitch products, privacy advocates warn that collection practices can cross the line. “People would be shocked if they knew they were on some of these lists,” says Pam Dixon, president of the nonprofit advocacy group World Privacy Forum. “Yet millions are.”
The lists sell for pennies a name and cover some of the most sensitive medical conditions. A database of 1.2 million people taking medication for depression costs 9.5¢ a name, and a list of almost 900,000 erectile dysfunction sufferers goes for 18.5¢ a name. For 15¢ apiece, you can buy 2.2 million households where someone has Alzheimer’s disease. The same fee will buy access to 600,000 with Parkinson’s disease.
More than 1,400 companies sell consumer data. Corporations spent $7 billion in 2012 for access to lists and databases with bits of information on individuals—ranging from whether someone owns a pet to what medication he takes—to better target their ads, according to a study commissioned by the Direct Marketing Association, a data broker trade group. Acxiom reported revenue of $1.1 billion last year.
Americans are used to being sliced and diced along demographic lines. Yet collecting massive quantities of intimate health data is relatively new territory, and many privacy advocates say it has gone too far—especially as data companies refuse to identify buyers of their lists, citing confidentiality. “It is outrageous and unfair to consumers that companies profiting off the collection and sale of individuals’ health information operate behind a veil of secrecy,” says U.S. Senator Jay Rockefeller (D-W.Va.). “Consumers deserve to know who is profiting.”
In May, the Federal Trade Commission recommended that Congress put more protections in place to ensure consumers know how the details they’re sharing are going to be used. Although there is a federal law protecting patient privacy, the Health Insurance Portability and Accountability Act, it applies only to information shared with health-care providers, medical facilities, pharmacies, and insurers along with their business associates. Everything shared outside that context is fair game to marketers, making it legal for data brokers to sell information about someone’s maladies if it was obtained or shared on a website registration form or an online survey.
“It’s not illegal at all,” Dixon says. “If a person reveals health information to a third party outside of the health-care context, that information doesn’t have any legal protection under HIPAA.”
The companies selling the data say it’s secure and contains information only from consumers who want it shared with marketers so they can learn more about their condition. The Direct Marketing Association says it has mandatory guidelines to ensure the data is ethically collected and used, and a website that allows consumers to opt out of receiving marketing material. “We have very strong self-regulation—we have for more than 40 years,” said Rachel Nyswander Thomas, the association’s vice president for government affairs.
Yet the ease with which data about Dan Abate was found in a Google search suggests the process isn’t always secure or transparent. Abate says he never agreed to be included on a list related to diabetes, and the only connection he can think of that may have landed him on the list are a few cycling events he participated in to raise money for the disease. “I don’t have diabetes,” he says, “and I don’t want my information out there to be sold.”
The diabetes mailing list containing Abate’s name was on the website of Exact Data in a section of sample lists that included dozens of other categories, such as gamblers and pregnant women. The diabetes list contained 100 names, addresses, and e-mails. Exact Data Chief Executive Officer Larry Organ says the list posted on its website shouldn’t have included last names and street addresses, and the company has since deleted any identifiable information. He says the data came from Acxiom, and Exact Data was reselling it. The Acxiom list was compiled by various sources—surveys, website registrations, and summaries of retail purchases—that indicated someone in the household has an interest in diabetes, said Ines Gutzmer, an Acxiom spokeswoman.
By Shannon Pettypiece and Jordan Robertson, Bloomberg Businessweek