Your Private Medical Records Are Being Sold to Drug Companies

imagesEven worse, half of all US states leave enough information in the records that YOU can be clearly identified. Action Alert!
Hospitals and other medical organizations are supposed to be bound by HIPAA (the Health Insurance Portability and Accountability Act) to keep medical records private. Patient information that is shared is supposed to be stripped of key identifying information (this is known as the Safe Harbor rule). However, HIPAA and other privacy legislation is riddled with loopholes—so many that it has been estimated that over 800,000 organizations can access your records.
Here is one big, fat loophole: state public health agencies are exempt from Safe Harbor rules when they sell private medical records as part of a health database. When this medical data is cross-referenced with other public information (such as news reports and other databases), it can reveal your identity.
Many states in the US voluntarily follow HIPAA guidelines when sharing electronic medical records, but at least twenty-five states leave some combination of identifying information that makes it possible for whoever buys the data to pinpoint anyone’s personal medical record—and then make it public. Records in Washington, New York, New Jersey, Tennessee, and Arizona were particularly vulnerable, according to records reviewed by Bloomberg News and Latanya Sweeney, director of Harvard University’s Data Privacy Lab.
Who would want this data? The drug industry, for one. Pharmaceutical companies are major buyers of these medical records—they use them to design ads to doctors and target potential patients. Other buyers include IMS Health, a provider of prescription data, also used by drug companies; OptumInsight, a division of UnitedHealth Group, the country’s biggest health insurer; and WebMD, which uses the data to tailor information found on their website.
As the public becomes more aware of just how vulnerable electronic medical records (EMRs) are, consumers may be more reluctant to seek medical care. Patients rely on doctor–patient confidentiality, and that sacred trust is meaningless if one’s information is sold to the highest bidder.
Case in point: there is a new form of gonorrhea that is resistant to cephalosporin and other antibiotics. This is a serious public health concern, and one that requires careful treatment (not to mention a great deal more research). While young people are at the highest risk for gonorrhea, they are also the most likely to hesitate to see a doctor—particularly for such a personal, potentially humiliating issue—if they fear their private information will be exposed.
In addition, EMRs can cost taxpayers money. The digital nature of the data means it is much easier for doctors to overbill, whether by mistake or through fraud. As we reported in February, doctors can claim to provide more services than they actually do; they can also cut and paste the same examination findings for multiple patients for the sake of expediency, even if those same findings only applied to one or two. EMRs can actually increase the paperwork burden, are subject to serious technological glitches, and of course are tremendously vulnerable to hackers and other security violations.
In an interesting new trend, many doctors are choosing to operate outside the system all together, providing “concierge” medical services to patients on a prepaid membership-fee basis rather than on a standard insurance model. Some concierge doctors stop accepting insurance altogether and can charge as little as $38 a month, though for most people the annual fee amounts to roughly $4 to $5 per day. This system can be a win/win for doctors and patients: patients’ medical records can more easily be kept outside of the huge medical record databases; it can cut down on unnecessary treatments and, of course, high insurance costs; and it allows doctors to see fewer patients and give the ones they have more personalized care.
Most of the medical industry, however, is still stuck in this miasma of messed up medical records, poor security, and legal loopholes that allow patients’ private information to be publicly exposed.
Action Alert! Ask Congress to amend HIPAA to allow patients to opt out—to keep their medical information from being sold or shared with any entity that is not currently giving the patient medical treatment.



  1. This all makes a lot of sense. I’ve always wondered why doctors insist on getting our SSN for their records. It seemed pointless.
    Big Brother is watching out for all his children.

  2. This is soooooooo discusting, I would like to ship all of the jerks to the Bearing Sea, out in the middle of it. When will they start telling us to go to bed??????????

  3. RE: Dear Congress, I’ve never heard of any medical facility having the right to give any of your
    medical records to anyone unless the person signs a waiver stating so. Please do not let these medical places do this to anyone. Protect our medical information.

  4. I am disgusted. As a registered nurse, I know I cannot share patient information with anyone who doesn’t have a “need to know” because they are also treating the patient. Medical records are even protected from sharing with a patient’s spouse! But apparently privacy falls by the wayside when it comes up against drug company greed for another dollar. When will Congress act like they represent the people instead of the corporations who have bribed them? If I can’t read my husband’s medical records, and he can’t read mine, then the pharma companies shouldn’t be able to read either. Stop selling our privacy protected medical information! Stoop it now!

    1. They should not have much of a record on me. I’ve been practicing alternative medicine since January, 1989. I do not need even their aspirins. As long as huge money making corporations are in control of our health care system, it will all be about profits, not about what is truly best for our health.

  5. Didn’t the Patriot Act allow for this EMR sharing? I remember years ago visiting a doctor and being asked to sign some document via the Patriot Act that would give them permission to share medical information. I refused to sign the document and was denied treatment from my eye doctor. Anyone who signed that document very basically agreed to the sharing of EMRs which by the way includes a lot more personal info than just medical. Since so many Americans regularly visit doctors, the medical and insurance industry have been used ever since as as a national database for all sorts of personal info.
    Credit scores, job history, education, property values, assets, income/tax info, neighborhood demographics and other info can be and is often acquired by doctors and can have a direct influence on treatment and medical costs/charges. Veterinary medicine has also become part of this national database. Employers can have access to medical history as well as credit history. Oh and that ‘ emergency contact’ name that they always ask for is really there for collection purposes and rarely if ever used in a health emergency. I was admitted to a hospital once in a dire emergency and no one bothered contacting the two people I had listed as emergency contacts in my file.
    I still haven’t signed that Patriot Act medical document and never will.

  6. It is all true! Your so called “reward cards” that you use to purchase your medications and those food store cards! When you filled out those little forms and supplied you’re signature? You granted permission to sell all of your drug needs and food items information to any and all interested parties who pay as little as a few cents to upwards of $75.00 per name!!! Yea you’re gonna get you’re rewards! These sales allow the businesses to make MILLIONS on you’re collective names. The favourite question of the thieves at checkout? Do you have a rewards card??? WELL DO YOU?

  7. I agree that we have a right to our privacy and no limits to what kind of relationship we have with our healthcare providers. I have developed a discount plan to make it more affordable to see medical doctors and holistic providers and keep your own records. We are starting the grass roots movement in Michigan, check us out at

  8. I’ve been suspicious of this for a long time, and hope that there is enough evidence that it has to be stop. It is breaking the Doctor and Patients Confidentiality Laws. Corporations and Pharmaceutical companies never should of had access to these records to begin with.

  9. I also think these corporations and pharmaceutical companies hack into people info through insurance records which they should not have access to either. That’s why I’ve always hated those pharmacy discount cards. It’s like a instant tattle on your insurance business!!!

Comments are closed.