FOX 13 Investigates: Your prescription records for sale

Randy Parker kept getting the life insurance offers in the mail, urging him to apply. The advertisements that said there was no physical exam required caught his eye.  

"When I saw this, I thought, maybe it would be enough to get my wife started on the next part of her life, stick me in the ground somewhere," said Parker, who has a neuromuscular disease.

He signed the form and applied.

“A week later they mailed me a letter saying I was rejected based on information from some company called Milliman IntelliScript,” he said. “They had provided all my prescription history to them and that's what they rejected me on.”

"I don't remember asking or allowing CVS or Walgreens to release that information," he continued.

In fact, his pharmacies didn't ask him. In the very fine print of his life insurance application, he was notified that he would be giving the insurance company authorization to pull from any entity that has “any records or knowledge” of his medical or prescription history.

Huge, hidden companies specialize in making that information available -- quickly.

Prescription data brokering has become a multi-billion dollar industry. While some companies specialize in collecting personal information used for underwriting, other companies specialize in providing the prescription data -- with certain personal details removed -- to marketers and researchers.

Privacy advocates say we’ve lost control of our own health information.

"The public is totally in the dark about it," said Deb Peel, a physician and founder of Patient Privacy Rights. "It's the most valuable personal information about you and people are very disturbed because they don't have control over it."

The cascade of information starts when someone fills a prescription at one of the tens of thousands of pharmacies in the country. The data goes from the pharmacy's system to the third-party that handles prescription claims for the customer’s insurance company, called the Pharmacy Benefit Manager, or PBM.

It doesn’t stay there, either. Companies like Miliman and ExamOne contract with PBMs and drug stores, so that as soon as they get the word from an underwriter, they can pull years of a patient’s prescription history within minutes. (Milliman’s software is called IntelliScript; ExamOne’s software is called ScriptCheck.)

ExamOne’s ScriptCheck is a service that’s providing information to underwriters that would otherwise be obtained through other means, according to spokeswoman Wendy Bost. 

“Today’s technologies are allowing the process to occur through a different channel,” Bost said. 

In Parker’s case, AAA Life Insurance used data obtained from Milliman to deny him life insurance coverage. Neither AAA Life Insurance nor Milliman responded to requests for comment.

“It wasn't the rejection that made me as upset -- again, I know I have a lot of medical history -- it's the fact that this company I've never heard of has all my prescription history,” he said.

Now another company does, too.

AAA Life Insurance’s privacy policy says it may share personal information to the “consumer reporting agencies, or other entities as needed to underwrite policies, process claims, and protect against fraud,” including the Medical Information Bureau. 

Nearly all life insurance companies share information collected about applicants with the Medical Information Bureau (MIB), a clearinghouse for insurance company data sharing.  MIB creates a personal profile for individuals using its own proprietary codes, which can be passed along to other insurance companies.

MIB, which also collects information about adverse driving records and dangerous hobbies, tells FOX 13 that only authorized personnel within its member companies can access files it has about an applicant.

MIB also says it does not sell “individually identifiable information (information that is associated with individuals) to any non-member third parties.”

Selling “non-identifiable” medical records has become a big business. One of the largest medical data brokers is IMS Holdings, valued at $6.6-billion when it went public last year. IMS Holdings buys patients’ prescription data and then resells is for things like research and marketing.

Privacy advocates say enough details can be included in “anonymous” medical data sets that they run the risk of being re-identified to individuals.   

IMS Holdings acknowledged the concerns for patient privacy in its SEC filing last year. “There are ongoing public policy discussions regarding whether the standards for de-identified, anonymous or pseudonomized health information are sufficient, and the risk of re-identification sufficiently small, to adequately protect patient privacy,” said IMS Holding’s January 2014 filing. “These discussions may lead to further restrictions on the use of such information.”

A spokesman for IMS Holdings declined to elaborate about which data fields are stripped from prescription records before the information is shared with government agencies, pharmaceutical companies and other healthcare stakeholders. 

The possibility of a data breach is another concern for privacy advocates.

In a statement, MIB said “before Internet access to MIB services is granted to a member company, MIB requires the member to obtain a digital certificate so that data transmitted to and from MIB will be encrypted using public/private key encryption technology.”

Bost said all the information transactions are done through “secure data channels and encrypted.”

Milliman IntelliScript’s website says it “prides itself on our secure systems and state of the art infrastructure that keeps consumer data confidential.”

“IMS Health strongly stands by its rigorous encryption practices and data privacy protocols,” a spokesman for IMS Health said in a statement.

That’s cold comfort for consumers who have seen and experienced the effects of numerous data breaches at major companies and institutions over the past few years.

"There's no oversight. These companies are not required to provide, through an external audit every year, about the safety of the data security,” Peel said.

Parker says he still receives advertisements from AAA Life Insurance to apply, this time for a smaller plan. He says he’s not interested in exposing his medical records any further. 

"I have not run into a single person who understands there's a credit report-type report out there that Lord knows who can get ahold of and know everything about you -- even your most sensitive stuff," he added. 

How to request a copy of your report:


Milliman Intelliscript

ExamOne ScriptCheck