Insurance companies earn billions each year by selling you their services. And they have more data about you than you could ever expect. Based on this, insurers can make you pay more or even deny the service.

How Much Insurers Know?

Insurers gather as much data about us as possible. A part of it we share voluntarily (like, if they offer perks in exchange), everything else companies gather behind closed doors. They even use social media (such as Facebook or Twitter) to understand our behavior and risk profile better.

Unless you leave no traces online (which is almost impossible), there are all kinds of sources to extract more information about you. For instance, based on your shopping records companies can track if you smoke, how much alcohol you consume, your eating habits, and even what are you up to on weekends.  

Wearable devices (like smart watches) can already monitor what we eat, how we sleep, what is our blood pressure or heart-rate. And insurers are keen on using all of this. So keen – they’re eager to pay to get it!

UnitedHealthcare and Fitbit offer to pay users up to $1,500 in health-care credits for activities completed on their Fitbit Charge 2. Why would companies pay, right? There’s a very good reason for this.


Trackers hold a lot of important information about your health. Don’t share it with anyone who asks (Photo credits: Andres Urena/Unsplash)

What Can They Do with Your Health Data

By analyzing the measurements of people who share their information, companies can make decisions about other people’s behavior. The more data there is, the better decisions the company can make.

We use more and more connected devices, plus, AI-driven technologies can analyze the data like never before. All of this paves the way to an entirely new era for insurers. Now they can boost rates or deny insurance purely according to the data they’ve collected.

For example, people who have a chronic illness (like asthma, sleep apnea, etc.), demonstrate specific behavior. If the company can build up enough information about it, in the future they can identify a medical condition just by looking at someone’s data.

If your insurance company has information on some preexisting condition (and there’s 1 in 2 chance that you have one), your rates can be higher, coverage denied, etc.

Moreover, the Internet of things (IoT) will only increase data collection. Because more connected devices > more personal information about you.

How Legal Is It?

Data brokers can buy, sell and trade medical records. Some companies specialize in gathering data, others are interested in buying it.

This is a multibillion-dollar business. For instance, IMS Health, which specialized in medical data trading, records $9-billion in revenue. Companies like Pfizer pay millions each year for the data that IMS Health has gathered.

Although legally the data must be kept anonymous – no names, addresses or Social Security numbers, data-mining companies have various methods to match what they have to an individual.

For example, last year, researchers from the University of Melbourne released a report proving they can identify individuals in government health care data which was published by the federal Department of Health as part of a move towards open data.

The data was supposed to be anonymous (patient ID numbers were removed), but the team of researchers could identify people within the same dataset.

Another example comes from Harvard University’s Data Privacy Lab and Bloomberg News. Using the database of hospital discharge records, they re-identified 35 people out of 81 cases.

This means sensitive private information (like mental health appointments or HIV treatments) could potentially be exposed at any time.

It Sees You When You’re Sleeping. It Knows When You’re Awake

Last spring, Tony Schmidt discovered that from his bedside CPAP machine was wiring the data to his health insurer. Schmidt suffers from sleep apnea – a condition which interrupts his breathing during sleep. Without CPAP he would have to be awaken tens of times during the night, and that, of course, would seriously impact his life.

An information technology specialist himself, Schmidt became suspicious about this privacy after he registered his new CPAP machine with ResMed (California-based medical equipment company). He opted out of receiving further information, but the next morning he got an email which said: “Congratulations! You’ve earned yourself a badge!” Schmidt realized that he’s being tracked.

One thing lead to another, and Schmidt found out that ResMed was allowed to share his data with doctors, insurers and supply companies. So his insurance company, Blue Cross Blue Shield, had it as well. After this, Schmidt went back to using his old machine, which had a removable data card.

What Schmidt discovered wasn’t new – insurers often track patients using CPAP. Companies claim to have legitimate intentions. For example, to track if patients use the machines as directed or advise doctors about the best treatments.

However, this raises some concerns. Why insurance companies don’t rely on doctors of the patients? Are they really the ones to judge?

ProPublica, which reported Schmidt’s story, also found out that companies use different methods to make patients bear the costs. Constant surveillance is one of them.

What to Do If Your Health Data Is Stolen

Criminals know that your health data is a big target for a lot of companies. Thus, they put a lot of effort into getting it.

Chances are, if your health data is stolen, you may end up paying off fraudulent medical bills, denied care, and other unfortunate consequences which such events could cause.

In Europe, under the GDPR, organizations have 72 hours to report data breaches. This means, if your medical records are compromised, you will be notified.

In the US, companies aren’t obliged to inform you. Hence, you may never know that a malicious third-party got hold of your personal information, including medical records. In fact, some companies even pay to hide a data breach – as Uber did in 2016 (the breach affected over 57 million users and 600 000 drivers).

Here are a few example signs of a possible medical data breach:

  • Strange activity on your bank statements of medical procedures, prescriptions, tests, etc. you didn’t receive or order
  • Your insurer notifies you that you’ve reached your benefit limit
  • A denial of insurance due to a condition you don’t have
  • You read in the news that your clinic suffered a data breach

If you suspect that your health data was stolen:

  • Gather current copies of your medical records to check for any suspicious activity. If the provider denies access to the information, contact the provider’s patient representative. After that, if you don’t get what you need after 30 days, contact the U.S. Department of Health and Human Services’ Office for Civil Rights, by calling (800) 368-1019
  • Report if any information is incorrect. Keep copies or original documents of every action, send letters by certified mail
  • Secure other accounts which may be affected by the breach
  • Check your credit reports on each of the three major credit bureaus every 12 months: at Annual Credit Report HERE
  • Place a fraud alert or a credit freeze on your accounts HERE 
  • Check activity on your medical financial statements: Healthcare Savings Account (HSA) or a Flexible Spending Account (FSA)
  • File a theft report with the Federal Trade Commission
  • For Medicare or Medicaid file a report online or call 800-HHS-TIPS

Secure your digital life with Surfshark

Only $1.99/mo. 30-day money-back guarantee with every plan