Dan Abate doesn’t have diabetes nor is he aware of any obvious link to the disease. Try telling that to data miners.
The 42-year-old information technology worker’s name recently showed up in a database of millions of people with “diabetes interest” sold by Acxiom Corp., one of the world’s biggest data brokers.
One buyer, data reseller Exact Data, posted Abate’s name and address online, along with 100 others, under the header Sample Diabetes Mailing List. It’s just one of hundreds of medical databases up for sale to marketers.
In a year when former National Security Agency contractor Edward Snowden’s revelations about the collection of U.S. phone data have sparked privacy fears, data miners have been quietly using their tools to peek into America’s medicine cabinets. Tapping social media, health-related phone apps and medical websites, data aggregators are scooping up bits and pieces of tens of millions of Americans’ medical histories. Even a purchase at the pharmacy can land a shopper on a health list.
Never miss a local story.
“People would be shocked if they knew they were on some of these lists,” said Pam Dixon, president of the non-profit advocacy group World Privacy Forum, who has testified before Congress on the data broker industry. “Yet millions are.”
They’re showing up in directories with names like “Suffering Seniors” or “Aching and Ailing,” according to a Bloomberg review of this little-known corner of the data mining industry. Other lists are categorized by diagnosis, including groupings of 2.3 million cancer patients, 14 million depression sufferers and 600,000 homes where a child or other member of the household has autism or attention deficit disorder.
The lists typically sell for about 15 cents per name and can be broken down into sub-categories, like ethnicity, income level and geography for a few pennies more.
Some consumers may benefit, like those who find out about a new drug or service that could improve their health. And Americans are already used to being sliced and diced along demographic lines. Lawn-care ads for new homeowners and diaper coupons for expecting moms are as predictable as the arrival of the AARP magazine on the doorsteps of the just-turned 50 set. Yet collecting massive quantities of intimate health data is new territory and many privacy experts say it has gone too far.
“It is outrageous and unfair to consumers that companies profiting off the collection and sale of individuals’ health information operate behind a veil of secrecy,” said U.S. Senator Jay Rockefeller, a West Virginia Democrat. “Consumers deserve to know who is profiting.”
Rockefeller and U.S. Senator Edward Markey, a Democrat from Massachusetts, introduced legislation in February that would allow consumers to see what information has been collected on them and make it easier to opt out of being included on such lists. In May, the Federal Trade Commission recommended Congress put more protections around the collection of health and other sensitive information to ensure consumers know how the details they are sharing are going to be used.
The companies selling the data say it’s secure and contains only information from consumers who want it shared with marketers so they can learn more about their condition. The data broker trade group, the Direct Marketing Association, said it has its own set of mandatory guidelines to ensure the data is ethically collected and used. It also has a website to allow consumers to opt out of receiving marketing material.
“We have very strong self regulation, we have for more than 40 years,” said Rachel Nyswander Thomas, vice president for government affairs for the DMA. “Regardless of how the practices are evolving, the self-regulation is as strong as ever.”
Yet the ease with which data is discoverable in a simple Google search along with Bloomberg interviews with people who showed up in one such database suggest the process isn’t always secure or transparent.
Dan Abate said he never agreed to be included in any list related to diabetes. Two other people on the same mailing list said they didn’t have diabetes either and weren’t aware of consenting to offer their information.
In Abate’s case, neither he nor anyone in his family or household has diabetes and the only connection he can think of for landing on the list are a few cycling events he participated in for a group that raises money for the disease.
“I could understand if I was voluntarily putting this medical information out there,” Abate said. “But I don’t have diabetes, and I don’t want my information out there to be sold.”
Bloomberg found the diabetes mailing list on the website of Exact Data in a section for sample lists that included dozens of other categories, like gamblers and pregnant women. The diabetes list contained 100 names, addresses and e-mails. Bloomberg sent e-mails to all of them, and three consented to interviews. There were no restrictions on who could access the list, available on search engines like Google.
Exact Data’s Chief Executive Officer Larry Organ said the list posted on its website shouldn’t have included last names and street addresses, and the company has since deleted any identifiable information. He said the data came from Acxiom and Exact Data was reselling it.
The Acxiom list was compiled by various sources, including surveys, registrations, or summaries of retail purchases that indicated someone in the household has an interest in diabetes, said Ines Gutzmer, a spokeswoman for the Little Rock, Arkansas- based company. While Gutzmer said consumers can visit the Acxiom website to see some of the information that has been collected on them, she declined to comment about how any one individual was placed on the list.
One of the more common ways to end up on a health list is by sharing health information on a mail or online survey, according to interviews with data brokers and the review of dozens of health-related lists. In some cases the surveys are tied to discounts or sweepstakes. Others are sent by a company seeking customer feedback after a purchase. The information is then sold to data brokers who repackage and resell it.
Epsilon, which has data on 54 million households based on information gathered from its Shopper’s Voice survey, has lists containing information on 447,000 households in which someone has Alzheimer’s, 146,000 with Parkinson’s disease, and 41,000 with Lou Gehrig’s disease. The Irving, Texas-based company provides survey respondents with coupons and a chance to win $10,000 in exchange for information on their household’s spending habits and health.
The company will share with individual consumers specific information it has gathered, said Jeanette Fitzgerald, Epsilon’s chief privacy officer.
KBM Group, one of the largest collectors of consumer health data based in Richardson, Texas, has health information on at least 82 million consumers categorized by more than 100 medical conditions obtained from surveys conducted by third-party contractors. The company declined to provide an example of the surveys. KBM uses the information for its own marketing clients, and sells it to other data brokers, said Gary Laben, chief executive officer of KBM.
“None of our clients wants to engage with consumers or businesses who don’t want to engage with them,” he said. “Our business is about creating mutual value and if there is none, the process doesn’t work.”
Data repackaging is extensive and pervasive. The Suffering Seniors Mailing List help marketers push everything from lawn care to financial products. It consists of the names, addresses, and health information of 4.7 million “suffering seniors,” according to promotional material for the list. Beach List Direct Inc. sells the information for 15 cents a name. Marketed as “the perfect list for mailers targeting the ailing elderly,” it contains a breakdown of those with diseases like depression, cancer and Alzheimer’s, according to its seller’s website.
Clay Beach, the contact on Beach List’s website, did not return calls and e-mails over the past month.
Little is known about who buys medical lists since data brokers say their clients are confidential, Rockefeller said at a hearing on the issue in December.
Promotional material for the Suffering Seniors data found by Bloomberg on Beach List’s website initially included a list of users. The names of those users have since been removed.
One customer was magazine publisher Meredith Corp., which used the list in a test for a subscription offer for Diabetic Living magazine, said Jenny McCoy, a spokeswoman. Other users have included the American Diabetes Association, which said a small portion of names from the list was given to one of its local chapters, and Remedy Health Media, a publisher of medical websites.
Remedy Health may have used the list to advertise one of its magazines, which has been defunct for several years, said David Lee, the company’s executive vice president of publishing.
A growing source of data fodder are website registration forms that ask for health information in order for a user to access the site or receive an e-mail newsletter.
One such site is Primehealthsolutions.com, which provides basic health information on a variety of conditions. It makes money by collecting data on diseases its users have been diagnosed with and medications they are taking, which people disclose when signing up for the site’s e-mail newsletter.
The site has more than three dozen lists for sale, including a tally of 2.2 million people with depression, 267,000 with Alzheimer’s, 553,000 with impotence, and 2.1 million women going through menopause.
Jason Rines, a co-owner of Prime Health Solutions, said he will share the lists only with those marketing health-related products, like pharmaceutical or medical device makers.
Acxiom said it uses retail purchase history or magazine subscriptions to make assessments about whether someone has a particular disease interest.
Health data collection is troubling to people like Rebecca Price, who has early-stage Alzheimer’s disease. While she now makes no secret of her disease and serves as a member of the Alzheimer’s Association’s early stage advisory group, that wasn’t always the case. Price, a 62-year-old former doctor, said she initially didn’t even tell her husband of her condition for fear word would get out and harm her personally and financially.
“It is a very, very personal diagnosis,” Price said.
Social media is another potential way information can be collected on patients, said Dixon, of the World Privacy Forum, who warns patients to be more careful about what they share on sites like Facebook.
“Don’t ‘like’ the hospital website or comment ‘thank you for the great breast cancer screening you gave me,’” she said. “Under the Facebook policy that is public information and it is in the wild and if someone goes to that site and pulls it off, it is totally public.”
While it would be possible for data miners to scrape ‘likes’ and public comments from Facebook Inc.’s social network, the company said such practice is against company policy and, if discovered, would be blocked.
“We don’t allow third-party data providers to scrape or collect information without our permission,” said Facebook spokeswoman Elizabeth Diana. “Third-party data providers that work with Facebook don’t collect personally identifiable information and are subject to our policies.”
For consumers who want to know what list they may be on, there are limited options. KBM for example doesn’t have the technological capabilities to look up an individual by name and tell them what lists they are on, though they can purge a name from all their lists if requested to do so, said CEO Laben.
Acxiom started a website last year that allows people to view some of the information it has on them. Those who choose to can correct or remove their data.
Epsilon’s Fitzgerald says the best way for consumers to protect themselves is to be more aware of where they are sharing their information and pay more attention to website privacy policies.
“If people are concerned, don’t put the information out there,” Fitzgerald said. “Consumers would be better served if they were educated more on what is going on on the web.”