Misuse of customer data by health insurers for marketing purposes

Several health insurers wrote directly to patients who had been prescribed a particular medication in order to suggest they switch to an equivalent and cheaper drug. Although this may at first sight seem quite sensible in view of the enormous cost pressures in the health sector, it nevertheless constitutes an infringement of data protection provisions.

Based on information received from the legal counsel of a pharmaceutical laboratory, we carried out an inspection of several health insurers. They had been accused of using the personal data of insured persons who were on a particular medication and writing directly to them to suggest they switch to cheaper drugs which were equally suitable for their treatment.

Health insurers that are active in the field of compulsory health insurance are deemed to be federal bodies since they perform a public task on behalf of the Federal authorities. They are therefore bound by the principle of legality. This means that there must be a legal basis before they can process personal data. Particularly sensitive personal data may only be processed if there is a specific law which formally authorizes them to do so. The Federal Health Insurance Act stipulates the purposes for which health insurance companies may process personal data (including sensitive data). The direct promotion of drugs is not included in the list of purposes for which the law authorizes data processing and therefore it constitutes an infringement.

As a result of our intervention, virtually all insurers who had been engaged in such marketing exercises halted this practice. There was one health insurer whom we were only able to convince after an explanatory meeting in the presence of the persons responsible for such matters in the Federal Office of Public Health. The health insurer in question subsequently also stopped this form of marketing.