Lexapro was plenty for Spencer, but the mailing stuck in his craw. He has followed the recent debate over the utterly porous privacy of consumer data. But he thought his medical history, at least, was guarded by the special privacy protections of HIPAA, 1996's Health Insurance Portability and Accountability Act.
Spencer asked a simple question: How did Bristol-Myers Squibb - or the "third-party list company" that the brochure said was the source of his name - know enough to send him that mailing?
I wish I could report a clear and simple answer, and I still hope to get one. But after several days of digging, the best I can say is that Spencer - and every other consumer worried about the privacy of medical information - has genuine cause for concern.
Spencer, by the way, says his objections have nothing to do with the particulars of his illness.
"I would be just as concerned if it was any medication," says Spencer, now 60 and retired. "If you have high blood pressure, you take blood-pressure drugs. If you have mental-health issues that keep you from living a full and meaningful life, then you take medication for that if that solves it."
His concern is broader - about the basic human right of privacy, which he believes has been violated when marketers seem to know exactly what medicines he takes.
Who had access?
Spencer's prescription data followed a predictable path: First from his doctor at the University of Pennsylvania to his pharmacy - Rite Aid, for a time, and then 18th Street Apothecary. To get insurance coverage, the data also went to his insurance company, Independence Blue Cross, and to IBC's outside pharmacy-benefits manager.
