There's no real mystery about Walter Spencer's illness. As a business manager, he had held highly stressful jobs without problems. When something changed several years ago, his doctor said his symptoms matched those of mild depression. He put him on the antidepressant Lexapro, and Spencer felt better within days. He has taken the medicine ever since.

But there is a mystery about Spencer's privacy - or lack thereof. It arose earlier this month, when an unusual pitch showed up in his Center City mailbox.

A pharmaceutical company, Bristol-Myers Squibb Co., sent him an eight-page brochure pitching another medicine, Abilify, used to treat patients "when an antidepressant alone isn't enough."

Lexapro was plenty for Spencer, but the mailing stuck in his craw. He has followed the recent debate over the utterly porous privacy of consumer data. But he thought his medical history, at least, was guarded by the special privacy protections of HIPAA, 1996's Health Insurance Portability and Accountability Act.

Spencer asked a simple question: How did Bristol-Myers Squibb - or the "third-party list company" that the brochure said was the source of his name - know enough to send him that mailing?

I wish I could report a clear and simple answer, and I still hope to get one. But after several days of digging, the best I can say is that Spencer - and every other consumer worried about the privacy of medical information - has genuine cause for concern.

Spencer, by the way, says his objections have nothing to do with the particulars of his illness.

"I would be just as concerned if it was any medication," says Spencer, now 60 and retired. "If you have high blood pressure, you take blood-pressure drugs. If you have mental-health issues that keep you from living a full and meaningful life, then you take medication for that if that solves it."

His concern is broader - about the basic human right of privacy, which he believes has been violated when marketers seem to know exactly what medicines he takes.

Who had access?

Spencer's prescription data followed a predictable path: First from his doctor at the University of Pennsylvania to his pharmacy - Rite Aid, for a time, and then 18th Street Apothecary. To get insurance coverage, the data also went to his insurance company, Independence Blue Cross, and to IBC's outside pharmacy-benefits manager.

All those people or businesses are covered by HIPAA, according to Robert Gellman, a Washington health-privacy expert who advises groups such as the World Privacy Forum.

"Everyone is subject to the same HIPAA rules," Gellman told me last week. "They can't sell patient information for marketing purposes without your informed, written consent."

Gellman says he is unaware of efforts to gain such consent by any of the law's so-called "covered entities," a category that includes doctors, insurers, pharmacies, and prescription-benefits managers. "There is no lawful path that I am aware of that will get this information out of the health-care system into the drug company," he says.

Each says it is scrupulous in following the rules.

"There's no sharing of any of our members' personal health information with any company or any vendor," says Independence Blue Cross spokeswoman Karen Burnham.

"We don't sell patient information," says Barry Neff, owner of 18th Street Apothecary.

"We don't sell or share our pharmacy customers' personal information," says Ashley Flower, a spokeswoman for Rite Aid.

So where was the leak? At midweek, a Bristol-Myers Squibb spokeswoman suggested that Spencer himself might have been the source of the information - if, say, he had gone online to request information about depression.

Gellman offered similar theories on how so-called data miners might have inferred that Spencer was a good target for an Abilify mailing.

Maybe Spencer bought an over-the-counter depression remedy at a store where he has "frequent shopper" card? Maybe he called an 800 number for information? Maybe he answered a survey on health concerns?

I ran all these ideas by Spencer, and he rejected each.


On Friday afternoon, Bristol-Myers Squibb delivered a "gotcha." Yes, Spencer was the source of his own privacy breach, according to spokeswoman Laura Hortas.

Hortas says Bristol-Myers Squibb bought the list in question from a reliable list broker. "We only work with list vendors that we know commit to observing U.S. privacy law," she told me.

And how did the list vendor get Spencer's name? Hortas says Spencer visited a site called at 9:25 p.m. on Dec. 14 and replied to a prompt that said: "Please provide relevant information to me on the following ailments."

"He selected depression," Hortas says.

As I said at the start, this column began with a mystery and ends with one.

Spencer says the only such survey he ever recalls answering was one from the Wall Street Journal asking about his coverage preferences. And he scoffs at the idea that he ever went to, where the privacy policy is plainly porous, and where Friday's pitch was: "Win a Harley Road King!"

Above all, he says his medical history speaks for itself. He had no need for information about depression, or about new drugs, he says. "Why, when I've been on a medication that's been working for five years would I suddenly do this on Dec. 14, 2010?"

So is there an alternative theory that could explain the presence of someone's name on the Abilify mailing list?

As it turns out, there is - and I'll tell you more about that in a subsequent column.

Privacy experts say that even ostensibly anonymous information, sold to data companies by pharmacy chains such as Rite Aid, can be reconstituted with enough reliability that it can be linked to individual names - certainly well enough to justify marketing expenses.

Bristol-Myers Squibb says that isn't what happened here. Spencer says he has no better explanation, because he doesn't believe he did what the list vendor says.