Pharmacies Ask for Lots of Info to Book a COVID-19 Vaccine. What Happens to That Data?

These companies are providing vital medical care, but also prompting complicated privacy questions

By Adam Tanner

April 16, 2021

Dr. Stanley Plotkin, 88, developed the rubella vaccine in the 1960s and has worked on anthrax, polio, rabies, and rotavirus vaccines over a distinguished career. Yet even the man nicknamed the “Godfather of Vaccines” does not have access to a full list of his past immunizations.

“I do not have any comprehensive record and that is a regret,” he tells Consumer Reports. “A national register accessible to the CDC would be very helpful from a public health point of view.”

Instead, in his wallet Plotkin carries a paper document from the Centers for Disease Control and Prevention showing that he has been vaccinated against COVID-19. The same proof being handed out to tens of millions of vaccinated Americans suggests a 1970s library card rather than a miracle of modern science.

Despite his age, Plotkin says he had difficulty getting a COVID vaccine appointment until he finally landed one in February through a local hospital. Finding appointments became easier for many people as supplies increased, and the federal government agreed to share vaccines with what ultimately is expected to be more than 40,000 pharmacies. Like other providers, they are reimbursed by private insurers, or paid about $40 per jab by Medicare, according to the Centers for Medicare & Medicaid Services.

But consumers engage in a bit of a Faustian bargain to peruse pharmacy vaccine schedules. In some cases they have to provide details such as their race, ethnicity, profession, obesity and serious health conditions, gender or birth date, along with their email and telephone number—perhaps to multiple websites—just to find an appointment.

Data Bonanza for Pharmacies

As app developers work to create apps to show people’s COVID vaccination status, some pharmacies are considering how to convert all their extra contact with consumers into revenue.

“We do see an opportunity with the vaccines and building relationships with new customers to convert them to long-term CVS Health customers,” CVS Chief Operating Officer Jonathan Roberts said during the company’s annual earnings call in February. “Every one of these customers is coming through our digital front end. We have their email, we have their text message, and we have the ability to communicate with them regularly.”

Vaccine pioneer Plotkin objects to pharmacies collecting information for marketing, as opposed to public health. “I don’t like that idea, I understand that it is an invasion of privacy,” he says. “On the other hand, the pharmacies are in a way doing a public service, so I am not angry about it.”

To clarify how pharmacies can and can’t use consumer information, the CDC issued new guidelines on April 2. They read, in part, “Providers are prohibited from using any data gathered in the course of their participation in the CDC COVID-19 Vaccination Program” for “commercial marketing purposes.”

Additionally, a spokesperson at the department of Health and Human Services tells CR, “Any data collected, including de-identified data, cannot be used for commercial marketing purposes, and also cannot be sold or provided to another party.”

Asked to comment, CVS’ Roberts tells Consumer Reports: “We do not leverage patient data for commercial purposes unless we have their permission to do so. The data we collect while doing vaccines is for insurance billing and CDC required reporting.”

Walmart and Kroger declined to answer questions about how they handle customer data gathered in the vaccine process. Walgreens spokesman Fraser Engerman says that the company does “not sell non-anonymized data of vaccination patients.”

A worker checks in a person with an appointment to receive a dose of the Moderna Covid-19 vaccine at a CVS Pharmacy location in Eastchester, New York, — Consumers at CVS Pharmacy locations like this one in Eastchester, New York, are receiving vital COVID-19 vaccinations, but there may be privacy trade-offs.

Pharmacies are required to follow rules set out by the Health Insurance Portability and Accountability Act (HIPAA) that govern the sale of medical data collected by health providers. So abuses of your medical data are unlikely, according to L.J Tan, the chief strategy officer of the Immunization Action Coalition, a group that educates the public and healthcare professionals. “I don't believe there is a sinister motive,” he says. “But with big business there is a realization that there is a tremendous amount of data that can be mined.”

However, not everyone agrees what data is and isn't covered by the law. “Vaccine recipients may be under the impression that the information they submit to these pharmacies is covered by the Health Insurance Portability and Accountability Act (HIPAA) or other privacy laws, but unfortunately, that is not the case,” the privacy and consumer groups wrote in their letter to the state attorneys general. “No U.S. privacy law covers the data collected under these pharmacy customer portals.”

And, with so much personal information in commercial circulation it is often hard to say where and how a particular piece of data was gathered. For example, CVS had an old home address on file when I got my vaccination, so they updated their files during my visit earlier this month. The CDC may say that no data collected as part of the vaccination program should find its way into a marketing database. But down the line, how could it be shown that the address update came from my vaccination visit?

With millions of people coming through their stores to get vaccinated, pharmacies can also engage in low-tech marketing, something Tan recently experienced at CVS. After his vaccination, an employee encouraged him to peruse the pharmacy aisles rather than remain seated for 15 minutes as medical experts recommend.

Hidden Marketplace in Patient Data

Despite the explicit prohibitions against using vaccination data for marketing purposes—and the assurances by pharmacy giants that they'll refrain from using consumer data that way—the healthcare industry has a long record of exploiting patient data for profit.

Although most people understand that their personal data is used by tech giants such as Google and Facebook for marketing and advertising purposes, fewer realize that pharmacies dispensing prescriptions, insurers, testing labs, and various intermediaries often sell and trade anonymized data. It's a largely hidden multibillion-dollar business I investigated in my book “Our Bodies, Our Data.”

In this medical data bazaar, companies remove a consumer’s name and obviously identifying information but create dossiers on millions of patients. Some key details can remain, including a patient’s age, gender, partial ZIP code, and doctor’s name. These details allow data scientists to model what type of people are most likely to suffer certain ailments or behave in certain ways, and which specific physicians and hospitals are treating such patients. Businesses, from drug manufacturers to banks and life insurers, use such insights to target offers and prices.

With the flurry of data gathering during the pandemic, some experts have warned about the potential for misuse of health data. “Health information collected in these efforts can easily be misused for profiteering when combined with targeted advertising programs, price-discrimination algorithms, or insurance assessments that may result in denials of coverage,” a January report of the Social Science Research Council warned.

U.S. law bans health insurers from denying coverage based on previous conditions. However, Rebecca Gluskin, who was part of a team of experts who prepared the report, pointed out that it would be legal for companies such as life insurers to decline to do business with someone based on health information.

Gluskin also expressed concern that outside websites that offer to help find available vaccines could sell patient data. “In the frenzy of sharing data with private companies, even government, to what extent is their data being protected from misuse?” she asks.

Some pharmacies may retain your COVID-19 sign-up data even if you end up getting vaccinated elsewhere. To use their appointment sites, I shared my data with Walgreens and Rite Aid, a Walgreens subsidiary, before settling on an appointment with CVS. I later called and wrote the privacy offices of Walgreens and Rite Aid asking that they delete my information. Rite Aid’s group vice president overseeing privacy, Andrew Palmer, said that the pharmacy was legally obliged to store and safeguard such information. Engerman of Walgreens added: "Generally, we can't delete patient records."

Yet a Walgreens customer care representative eventually wrote back to say my account had been removed.

Even if the information you provide to sign up for a vaccination isn’t sold, massive patient databases face a risk from hacking attacks, which criminals use for medical and identity fraud. Nearly 80 million Americans experienced this reality in 2015 when their data were stolen from the insurance company Anthem. Even consumers who were not direct Anthem customers were affected. Although I didn't have an Anthem policy, the company had access to my data through Caremark, a CVS division that had a relationship with my former employer.

The Anthem hacking incident is well known because it affected so many millions, but medical breaches occur nearly every day, as documented by the U.S. Department of Health and Human Services Office of Civil Rights.

Needles Into Arms

With COVID still a stubbornly deadly risk, many officials are not worrying too much about the flow of personal information. “Our sole focus is to reach herd immunity as soon as possible to stop the spread of COVID and save lives,” Brice Mitchell, a spokesman for the Kentucky Cabinet for Health and Family Services, said when asked about vaccination record-keeping and the use of patient data.

The focus on needles into arms has made the United States a world leader in COVID vaccinations. The pace has accelerated faster than anyone could have hoped for even a few months ago, says Tom Frieden, the former head of the CDC. “The vaccines are stunningly effective,” he said in an interview.

Medical researchers and officials at organizations such as the CDC do need access to significant amounts of COVID-related data to control the pandemic. Still, experts say it is worth considering how the private sector uses such information, because how we handle the crisis today may establish an important precedent.

“If we are making mistakes in the way we are doing things now, we are carrying forward risks in the future,” says JP Pollak, co-founder and chief architect of the nonprofit Commons Project, which develops apps to help people store their medical data and to document their COVID vaccination status. Among the companies that have begun to use its CommonPass are JetBlue and Lufthansa on some flights. Walmart will offer it as a way for consumers to access their records if they receive a COVID-19 vaccination at a Walmart location.

“The part that feels new to these circumstances, that people should take note of, is the requirement to create accounts and submit extensive personal information in the process of trying to get a vaccination appointment,’” Pollak continues. “Given the demand for appointments, people might need to do this at 5 to 10 different pharmacies or other businesses.”

One possible benefit that could emerge from the pandemic would be a system that allows patients easier access to comprehensive vaccination records. “I think it is a fantastic opportunity for the government to create a vaccine record app for the overall population—one that can keep track of a person’s entire vaccine history, linked to state registries,” says Sean Nolan, the former chief architect of Microsoft Health Solution Group.

Decades ago, U.S. states and some cities started compiling vaccination records of children. These records expanded to teens and then adults, according to Rebecca Coyle, executive director of the American Immunization Registry Association.

Yet even today there is no national vaccine database, which means anyone who moves between different states or receives immunizations in more than one state may have more difficulty finding their information. Forty states have signed agreements as of mid-April to share data, Coyle says. “It has taken a lot of time to get attention to this issue,” she says.

New Hampshire has been the last U.S. state to implement an immunization registry, and so far has recorded only COVID vaccines, according to Elizabeth Daly, chief of the Bureau of Infectious Disease Control at the state’s Department of Health and Human Services.

A digital system could also stem forgeries of vaccination certificates which have reportedly become increasingly common in recent weeks on various Internet sites and forums.

If the idea of a national COVID vaccine database to replace the paper cards is simple, creating it is challenging—and controversial.

“By the time this got created, infrastructure put in place, software installed, people trained to use it, support team trained to answer questions—most of the vaccinations will already have been given to those who want them,” says Judith Faulkner, the billionaire founder and CEO of Epic, which operates one of the largest U.S. health records systems with 250 million patients worldwide.

The Debate Over Vaccine Status

Over time, the technical and logistical issues might be smaller than the philosophical ones.

Whether on paper or through an app, the concept of requiring people to show their vaccine status to attend events or to travel has sparked a contentious national debate. The Biden Administration has opposed a federal vaccinations database or vaccine passport, and a recent poll by the de Beaumont Foundation, a nonprofit organization, found that about a quarter of respondents opposed creating a voluntary document to show vaccination status.

Others warn that demanding proof of vaccination—an obligation that has long existed to enter countries with high risk of yellow fever—will disadvantage certain people. “While vaccine supply remains limited, privileging people who are fortunate enough to have gained early access is morally questionable,” Mark Hall, a professor expert in health law at Wake Forest University School of Law and School of Medicine, and David Studdert, a professor of law and medicine at Stanford, recently wrote in the New England Journal of Medicine.

“Even after supply constraints ease, rates of vaccination among racial minorities and low-income populations seem likely to remain disproportionately low; relatedly, if history is a guide, programs that confer social privilege on the basis of ‘fitness’ can lead to invidious discrimination.”

A World Health Organization has expressed similar concerns and opposes requiring proof of vaccination for international travel.

Such objections create a difficult balancing act. “I as a person navigating the world also need to have the freedom to not be infected by people who are carrying an infectious respiratory disease that I can get from breathing in air they breathe out,” says Kaliya Young, an expert on digital identity verification working on the COVID-19 Credentials Initiative, a group bringing together more than 300 experts in technology and other fields.

To date, Florida and Montana have issued executive orders barring companies from requiring customers to document COVID vaccinations to do business there; those states plus Texas and Idaho have barred state agencies from requiring proof of vaccination to receive government benefits, says Amy Leopard, a Nashville lawyer specializing in healthcare and information technology law. “I do believe that the prohibition on private business requiring documentation could be the subject of much dispute and potentially litigation,” she said.

Health records company Epic is trying to sidestep such debate by asking prospective attendees to their August annual users meeting in Wisconsin to come vaccinated, but without paper or electronic proof. “Honor system,” Faulkner explains. “If people attend who aren’t vaccinated, they are taking a personal risk.”

That may work at a health industry gathering, but history suggests an honor system may not be enough when it comes to companies collecting personal information. In the coming months, as startups and established firms introduce many new apps to schedule immunizations and show who has been vaccinated, it is worth watching how these companies use our data, healthcare experts say. They likely won't be covered by health privacy laws, and their business models may be based on using our data to sell sensitive insights into our health and private lives.

Adam Tanner

Adam Tanner is a Consumer Reports contributing editor. He is also the author of “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records” and an associate at Harvard's Institute for Quantitative Social Science.