DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Save 10% on prescriptions, lose 75% on privacy? (updated)

Posted on April 12, 2012 by Dissent

It started with a private message I received on Twitter, asking me what I knew about the privacy policies of prescription discount services. The message provided a link to Medication Discount Card, a site that offers a free prescription discount card that advertises it can save you 10 – 75% on your prescription costs if you use the card at any participating pharmacy.

In looking at the site, I understood the inquiry as there was no privacy policy posted anywhere that described what data were collected if you used the card and what might happen to those data. So I contacted the site to ask about their privacy policy. A spokesperson replied promptly, and noted that somehow the privacy policy had not been restored when they did a recent update of their site. On receipt of my inquiry, he promptly re-uploaded and linked their web site’s privacy policy from the bottom of their home page.

But that was the web site privacy policy, which is important, but it was not the policy for data associated with any use of the card. I tried again:

Thank you for the web site privacy policy, but as my inquiry indicated, I am seeking the privacy policy for what happens to the data collected from usage of the discount card itself. Who gets access to those data, how are they shared, etc.?

Again, I got a prompt response:

We do not collect any personally identifiable information from anyone using the pharmacy card. What we do collect is used internally, we do not sell or rent any lists to any partners or third parties.

Could it really be so simple? What do they consider personally identifiable information, and is it possible that any data they do collect could be easily re-identified? And where did it actually say that on their web site? In response to my query, the site added their statement to their FAQ (see Question 12).

Impressed with their responsiveness if not the detail of their statements, I tried one more time:

… Your statement about card use does not tell consumers what data you collect. Do you collect/retain their name, addresses, medication name, prescribing doctor name, etc.? Do you retain any payment info like credit card numbers?

How do you secure/protect information? Is it all encrypted using NIST-grade encryption?

People – and the govt – are becoming more sophisticated/concerned about data collection, retention, and usage. Your policy should address these issues in plain language.

That was a week ago. I never heard back from him, but I hope they’re thinking about being more specific in their statement about what they do collect and how it’s stored. And whether people can request that their records be deleted.

Maybe everything is as he described it to me in e-mail, but I tend to be cautious about prescription data.  Keeping in mind their privacy policy that allows them to include any data they have on you as a transferrable asset should they sell their business, how comfortable would you be using the card?

Medications are frightfully expensive and many of us do not have good insurance coverage.  Will the need to save money trump concerns about data security and privacy? It probably will for many people. So…. as always, consumers need to be aware and informed and make sure you know what data about you are being collected and could be shared at some point.

Thanks to the follower who sent me the inquiry. I hope this answers your question.

Update:  Following publication of the post, I received an email from MDC that apologized for the delay in responding and included the following clarification:

… right now we collect very minimal information from any patients. They do not even need to enter their name or email address before printing a card. The information the pharmacy collects does not get passed on to us due to HIPAA laws. The only piece of information we collect is the number of people that print discounts and which particular drugs they are for. We do not collect names, credit card information, location, or anything that could remotely identify that person.

Within the upcoming months we will be redesigning our website and will address these issues much more clearly.

Now that is very helpful information and somewhat reassuring. Of course, MDC is just one company and others may not have the same policies, so it’s always best to inquire.


Related:

  • Government will 'robustly defend' compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
Category: Uncategorized

Post navigation

← IN: Sensitive Patient Information Found In Trash
Maryland legislature passes law to help prevent child identity theft →

3 thoughts on “Save 10% on prescriptions, lose 75% on privacy? (updated)”

  1. Anonymous says:
    April 12, 2012 at 10:50 am

    Nice post. It’s disturbing that so many commercial databases exist with our private medical and prescription histories. I’m pretty sure most consumers are unaware that they exist, how they work, and what (if any) legal rights and protections for the consumer are in place.

  2. Anonymous says:
    April 13, 2012 at 8:16 am

    Thank You for updating your post.

    Just to clarify, the reason that I did not respond to his last email for some time was because I was away on vacation for the Easter holiday and I am the only one in the company qualified to answer such questions.

    As Dissent can attest to, I have responded to all other inquiries in an extremely prompt manner.

    1. Anonymous says:
      April 13, 2012 at 8:19 am

      You’re welcome, and yes, other than you thoughtlessly taking a vacation while I was still working, you’ve been very prompt and helpful.:)

      Feel free to come back and let us know when your web site is updated. Perhaps it will serve as a model for others.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • UK sanctions Russian cyber spies accused of facilitating murders
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Bitcoin holds steady as hackers drain over $40 million from CoinCDX, India’s top exchange
  • Government will ‘robustly defend’ compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.