Your Prescription History Is Being Sold — And the List of Buyers Will Rearrange Everything You Thought You Knew About Privacy

Every prescription you've ever filled exists in a database. Your name, your date of birth, the medication, the dosage, the prescribing physician, the date, the pharmacy. This data exists in the systems of your pharmacy, your pharmacy benefit manager, your insurance company, and potentially a data broker you've never heard of and cannot opt out of.

Pharmacy data — medical data — is bought and sold in the United States at a scale that most people, if they understood it clearly, would not believe is legal. It is legal, in many formulations, because the Health Insurance Portability and Accountability Act has well-documented gaps that allow what is called "de-identified" health information to be commercially transferred without patient consent. De-identification is a technical standard that researchers have repeatedly demonstrated can be reversed — that so-called anonymous health records can be re-identified with sufficient auxiliary data — and yet it remains the legal basis for a multi-billion-dollar health data market.

Who buys it? Pharmaceutical companies mapping which physicians prescribe which medications, to target their sales representatives. Employers making actuarial decisions about workforce health costs. Life insurers pricing policies. Data brokers aggregating it with purchasing behavior, location data, and consumer profiles to build comprehensive individual records. Political campaigns targeting voters with health-based messaging.

ProPublica and other investigative outlets have documented specific instances where sensitive health data — including psychiatric medication records, HIV treatment records, and substance use disorder treatment records — moved through data broker channels in ways that caused direct, documented harm to individuals whose information was disclosed.

The legal framework protecting your medical privacy was written before the commercial health data market existed at current scale. It has not been meaningfully updated since. The gap between the law and reality is where an industry worth billions operates daily, legally, without your knowledge.

The prescription bottle says your name. The data broker's file has your name too. You authorized exactly one of them to have it.

---

SOURCE LINK: https://www.propublica.org/article/health-data-brokers-hipaa-privacy