You Asked, We Answered: Are My Health Records Being Sold To Advertisers? | New Hampshire Public Radio

You Asked, We Answered: Are My Health Records Being Sold To Advertisers?

Jan 24, 2020

Every great mystery begins with a first clue. For NHPR listener Hannah Robinson it was a series of letters in the mail.

“I started receiving mail communications from the AARP and hearing aid coupons,” said Robinson, “and I’m still getting invitations to join retirement specialists for dinners and things like that -- just things for someone who is much older.”

Robinson is just 37 years old. She’s decades away from retirement and her hearing works just fine. And yet, a recent flyer from a hearing aid center asks her a cryptic question: “is it hearing loss? or just earwax?”

At first, Robinson found all of this a little amusing. But the more mail she got, the more she began to wonder if the reason groups like AARP seemed to think she was older was not some random mistake, but because they knew something about her. Something very personal. Something they could potentially use to their advantage.

Just a few months before she started receiving the mysterious letters, Robinson had a stroke.

“And it’s just very suspicious, the timing, because I obviously had a medical thing that happened that’s more common for people who are 65 and older. So I really just kinda wonder if it’s linked,” said Robinson.

Did AARP somehow find out that Robinson had a stroke? Were they using her medical data to sell her a membership? Is this just a coincidence?

That was the question that Robinson brought to The Second Greatest Show on Earth, NHPR’s new podcast that answers listeners’ questions about New Hampshire.

NHPR health reporter Jason Moon took on the case and explored the shadowy, complex world of data-collection and targeted advertising.

The Retail Theory

Riley says to figure this out I’ll need to broaden my notion of what counts as health information. Because she says, it’s not just medical records. Plenty of things we do outside the doctor’s office, like shopping, leave hints about the state of our health. Those hints could be as obvious as limping up to the counter to buy a set of crutches, or something more subtle, like a grocery cart full of gluten-free food.

“I could probably tell you more about your health by what you buy in the grocery store than I could through your health records,” said Riley. “You’re probably more truthful in your grocery store buying than in what you tell your physician.”

HIPAA does not protect information about your retail purchases the same way it does your medical records. While your diagnosis of a rash is kept confidential by law, the fact that you bought an over-the-counter cream to treat rashes is not.

“We have a very sectorial notion of privacy. We have banking law, we have health law,” said Riley. “And that made sense 50 years ago. But it doesn’t make sense when you start thinking about retail operations being able to, with complex algorithms, make determinations about what you’re doing.”

In light of this, retailers have developed clever ways of collecting information about us while we shop: loyalty cards that track your purchases over time, store apps that can take location data from your phone -- ever been asked for your zip code at the register?

Once retailers have all this information about you, they use it in two ways. The first way is what you might expect: they use the data to market their own products to you. But you might not expect how sophisticated some stores can get with this.

“There’s a very famous story that everyone knows in the privacy side that involves Target,” said Riley, “which through its own algorithms was able to identify a teenager who was pregnant before even her own family knew.”

So if Target can figure out a shopper is pregnant based on their purchases, it seems possible another store could’ve figured out that Hannah had stroke based on her shopping habits.

But obviously, AARP is not a retail store. How would they have found out?

That brings us to the second thing that some retailers do with the data they collect about you. They sell it. Meaning that the data that one company collects about you doesn’t always stay with that company. It can end up influencing the way a totally different company advertises to you.

So in Hannah’s case maybe that means she bought some stuff that somehow signaled to one store that she had a stroke, which got her categorized as an older person, then that information was sold and eventually ended up in the hands of groups like AARP.

Makes sense. But there’s a problem. Pregnancy definitely leads to a whole bunch of new purchases that could give you away. But a stroke? What does a stroke victim buy from the store?

Let’s look at some other suspects before we decide.

The Cookie Theory

Jennifer King is Director of Consumer Privacy at Stanford Law School and a self-described “privacy zealot.” When I told her Hannah’s story, Jennifer immediately suspected it had to do with the internet.

“If she went to a site that was specifically on that topic, that site could’ve profiled her through cookies,” said King. “That could’ve been the thing that did her in.”

This ‘cookie theory’ starts with the fact that almost every website makes use of tiny files called cookies that are automatically downloaded by web browsers through normal use of the internet. In essence, cookies are the way that websites remember you. They’re how Google keeps you logged in to your email even after you close your web browser. It’s how Amazon puts things into a digital ‘cart.’ 

Some cookies, like the ones mentioned above, are called first-party cookies because they come directly from the website you’re visiting. 

But your browser also collects third-party cookies from the ads on a website. Third-party cookies don’t just record what you do on the website where you picked them up, they follow you, keeping track of your activity across different websites over time.

“What they try to do is to track you across space and time, essentially,” said King. “To build as rich of a profile as they can about you.”

Ever look at a pair of shoes on one website, then get an ad for those same shoes on five other websites? Third-party tracking cookies make that possible.

“It’s more or less generalized surveillance,” King argues. “Simply getting consent, which in this country is really a joke, making you click on a ‘terms and conditions’ button, assuming you read a privacy policy popping up a 6,000 word document in front of you and saying “better read it.” In this country today, that’s enough to allow you to get away with generalized surveillance.”

But it’s one thing to surveil the activity of one web-browser across the internet. How do we get from that to receiving targeted snail-mail advertising at your home address?

For that we need to enter the world of the data brokers. This is a video from one the world’s largets data-brokers, Acxiom, which claims to have data on 2.5 billion consumers.

 

Looking to advertise specifically to consumers who are more likely to order groceries online? Or how about consumers with a “propensity to celebrate St. Patrick’s Day”? Or how about people who only tune in to the big football game to watch the commercials?

These are actual categories of consumers that Acxiom says it can give companies access to. And it doesn’t stop there. Data brokers have reportedly tracked religion, sexual-orientation, and even life changing events.

 


In 2014, a data broker sold a mailing list to Office Max that accidentally included one datapoint about a particular customer in the mailing address. The address on the envelope addressed to Mike Seay read: Mike Seay, daughter killed in crash crash, or current business.

Mike Seay’s daughter had in fact died in a car crash about a year earlier.

Speaking to a TV reporter, Seay expressed his shock and outrage.

“Why would they have that kind of information? Why would they need that? What purpose does it serve anybody to know that? And how much more information, if they have that, do they have on me? Or anyone else?”

How do they do this? King says in recent years data brokers have learned to marry the techniques of online and offline data collection.

“They’re the ones who are trying to create a comprehensive profile of you. And so that’s the aggregate of the online and the offline data.”

Here’s an example of how it could have worked in Robinson’s case.

Step 1: Let’s say years ago Robinson signed up for in-store credit card at a clothing store. To apply for the card, she had to give the clothing store her name, home address, and email address.

Step 2: That clothing store sells all that information to a data broker. Now the data broker has Robinson’s name, her email address, and her home address in one data set. That’s important, because now any online activity the databroker can associate with Robinson’s email address, they can also associate with her actual name and home address.

Step 3: Robinson has a stroke, and while in recovery, she does what any of us would do, she goes all over the internet to learn more about her condition. In the process, her web browser accumulates dozens of tracking cookies.

Step 4: The information those tracking cookies collect about Robinson’s web activity is sold to the same databroker that has her info from the clothing store. That databroker matches up her online activity with her offline identity. Then they take everything they know about Hannah and label her with different consumer categories. Because she visited websites about strokes she categorized as an older person.

Step 5: The databroker sells a mailing list to AARP of people over the age of 65. A list which contains the name Hannah Robinson, (actual age 37).

This is the cookie-theory view of the case. Complicated and far-fetched though it may seem, something like it has happened before.

“One day out of the blue, I got this mailer from AARP suggesting that as a newly over-65 year old, I should think about getting membership.”

Kalev Leetaru is a researcher focusing on cyber-security and digital privacy. And in his mid-thirties he suffered the same fate as Robinson: mysterious letters from AARP.

Being an expert in the world of digital privacy, Leetaur decided to investigate. He decided to confront AARP directly.

“And they were really helpful and apologized profusely and said that they had gotten me from one of these data brokers had prepared a mailing list for them,” said Leetaru.

But what does it mean that for both Kalev and Hannah, that the targeted advertising was so off-the-mark?

Kalev discovered that despite the ubiquitous tracking methods and fancy data analysis, the data brokers can get it wrong. By a lot.

“I looked at my own data. I requested my data from a whole bunch of these, some of the biggest names out there, these data brokers,” said Leetaru. “And they ranged between 75 and 80 percent wrong. And they were wildly, wildly wrong.”

Kalev says his own data dossier predicted he would be predisposed to Forever 21, Sephora, children’s lunch box meals, and imported beer. All things Kalev says he doesn’t buy and has no interest in.

“If the data is this bad you start asking the question of: yes it’s Orwellian but if that’s bad is that scary?”

I’ll leave it you to answer that question. But as far as Hannah’s original question goes, it looks like we might have our answer: the cookie theory. It’s very plausible that after her stroke she went online to learn more about strokes. And we know that in at least one case AARP bought a list of names from a data broker.

But now that we know the AARP will just tell us the answer, maybe it’s time went to the source.

“We do have members from time to time calling AARP asking similar questions about why they may have received a promotional flyer or letter from us,” said Pam Farrell, Vice President of Membership for AARP. 

Farrell said any time they get this question, they take it seriously.

“Privacy and making sure that the data we are using is of the utmost reliability is really important for us so we really want get down to the bottom of what the issue is.”

Farrell said after searching through their mailing lists for Robinson’s name they found a surprising result.

“What we were able to find was that in fact it does not appear, based on our research, that this person was actually mailed a direct-mail piece from us.”

Farrell said the mail that Hannah received went out to everyone in Hannah’s zipcode and that the flyers were addressed to “current resident.”  In other words, Farrell says Robinson was marketed to the old-fashioned way, via mass-marketing, meaning the fact that it happened after her stroke was simple coincidence.

When I broke this news to Robinson, though, she was skeptical.

“You know how AAA will send you a fake card with your name on it? I have a memory of getting one of those from the AARP,” said Robinson. “My name was definitely on the envelope. And I’m pretty sure it was on everything that was inside.”

To be sure, after I met with Robinson, I went back to AARP one more time. This time they expanded their search to look further back in time and discovered Robinson had been right all along. She had received targeted mail 4 times, beginning just a few months after her stroke.

Where did AARP get her info? Acxiom. The same company that says it can target people with a propensity to celebrate St. Patrick’s Day, somehow got it in its database that Hannah had a birthday in June of 1956, which would make her 61.

When I called to Robinson to tell her she had been vindicated there were yet more revelations.

“I don’t know if this is related, but that’s my mom’s birthdate,” said Robinson. “Around that time when my daughter was born and I had my stroke, I think I’d actually given my mom one of my old cellphones, cause she needed it in a pinch.”

The new info provided a new potential solution to the mystery that isn’t related to Robinson visiting websites about strokes. It’s possible Acxiom had already linked the mobile phone to Robinson’s identity before she gave the phone to her mother.

When new web activity on the mobile phone from Robinson’s mother indicated the user was an older person, Acxiom mistakenly attributed that to Robinson, not knowing that the phone had changed owners.

Hannah says she can see a dark side to all this data tracking and consumer profiling. Low-income people targeted with ads for risky pay-day loans, targeted ads for jobs that exclude people of a certain age.

But in her particular case, because the result was just some junkmail, Hannah takes it in stride.

“It feels transactional to me. Like, I know people are probably watching and paying attention to where I’m going. But because I’m getting something out of it, usually just information, I don’t mind,” said Robinson.

“But it does empower me. Because now I do feel like I want to google really random, ridiculous things and just see what happens. So in a way, I feel very empowered, because I still have the ability to trick people. And that puts it back in my court.”

If figuring out how we’re targeted by advertisers can feel like a detective story, the same is true for the data brokers trying to profile us.

Across our shopping habits, our browsing history, and public records, the data brokers are sleuthing around, trying to piece together the clues that explain the mystery of who we are and what we’ll buy.

Now that she knows that, Hannah’s looking forward to sending them on a few wild goose chases. After all, any good mystery story has a few red herrings.