Your Prescriptions Are Not a Secret

Think only your doctor and pharmacist know what medications you take? Here's the truth.

When you fill a prescription, you probably assume that the fact that you’re taking a medication is between you, the pharmacist, and your doctor. But a surprising number of people have access to your prescription history, which can include sensitive information like credit card numbers and your Social Security number.

Three Ways Your Information Gets Out

Pharmacies and doctors are legally bound to safeguard your prescription records and not give them to, say, an employer. (Learn more about the laws that protect your privacy.) But your records can still be shared and used in ways you might not expect, by:

  • Pharmacy chains and their business partners. Pharmacies and the drug and device makers they do business with are legally allowed to remind you about refills and recently lapsed prescriptions, and provide “advice” about adhering to treatments. So if you take insulin, for example, you might get mail or email ads about a new insulin pump or supplies for testing blood sugar.
  • Insurance companies. When you apply for life, disability, or long-term-care insurance, the carriers are permitted to hire information-service firms to analyze your medication records and score your health risk.
  • Data miners. Pharmacies and companies that administer insurance-company drug benefits sell prescription records to so-called data miners that remove information that can identify you and “mine” or analyze the rest.

That information can be used for the public good, for example, as a basis for medical research. But this “de-identified” data can also be bought by drug makers, who use it to track prescribing patterns. That gives them an edge in persuading doctors to prescribe their products, sometimes in place of cheaper or more appropriate alternatives. And some companies have already found a way to match your de-identified data to websites you go to so they can then target you with ads.

Stop Thief!

Medication records can also be a gold mine for criminals, who may use them to get drugs illegally or file false insurance claims. High-tech data theft makes headlines, but “privacy breaches frequently arise from preventable human errors,” such as a pharmacy clerk forgetting to shred paper prescriptions, says Michelle De Mooy, deputy director of the Center for Democracy & Technology’s Privacy and Data Project. CVS, Rite Aid, and Walgreens have paid millions of dollars in settlements for disposing private patient information improperly. So think twice before allowing credit card numbers and especially Social Security numbers to be included in the office records of your pharmacy or doctor.

Find out more about how to protect your information from cyberthieves and see our extensive guide to internet security for more safety tips and tactics.

Reducing Privacy Risks

You can’t completely secure your prescription information, but you can minimize the potential for problems:

  • Check records. Keep a log of the drugs you take and periodically ask your pharmacy and insurance company for copies of your prescription records to check for accuracy. If you’ve applied for life, disability, or long-term-care insurance in recent years, the three major reporting agencies, MedPoint (844-225-8047), Milliman Intelliscript (877-211-4816), and the Medical Information Bureau (866-692-6901) will give you a free copy of any medication history those insurers have requested that are in their files.
  • Read the fine print. Pharmacy memberships, savings programs, and apps may expect you to trade access to some of your health information for discounts. By signing up for a CVS ExtraCare card, for example, you get $5 off for every 10 prescriptions you fill. But the privacy policy says you may also receive promotional information and offers. So read privacy policies carefully, ask questions about anything that you don’t understand, and don’t sign up if you’re uncomfortable.
  • Say no to marketing. You may be able to opt out of reminders or ads related to your medication.
  • Ask doctors to opt out. Healthcare providers can indicate that they don't wish to share de-identified prescription information with drug makers through the American Medical Association’s Prescription Data Restriction Program.
  • "De-identify" containers. Cover labels or remove identifying information on medicine containers with a permanent marker before discarding. See our report for the best ways to get rid of unwanted medication.
  • Complain. If you think a pharmacist has breached your privacy, file a complaint with your state board of pharmacy. Find contact information for your state board at the National Association of Boards of Pharmacy.

For more information on how health data is used and how you can reduce the risks of abuse, see Consumer Report's free downloadable guide Medical Data: What You Need to Know Now.

Editor's Note: These materials were made possible by a grant from the state Attorney General Consumer and Prescriber Education Grant Program, which is funded by a multistate settlement of consumer fraud claims regarding the marketing of the prescription drug Neurontin (gabapentin).

Has your privacy regarding your medications been breached?

Tell us about it in the comments below.

Teresa Carr

Teresa Carr is an award-winning journalist with a background in both science and writing, which makes her curious about how the world works and eager to tell you about it. She is a former Consumer Reports editor and 2018 Knight Science Journalism Fellow at MIT and has more than two decades' experience reporting on science, health, and consumer issues.