Can/Does Google use my medical information for targeting ads?

I communicate with my physician on gmail. Presumably google can “read” my emails and target ads on prescription medication or medical devices to me.

Per the medical/privacy laws of the United States, is google allowed to “profile” me based on my medical emails sent / received on gmail ? If yes, does Google already do so ?

A couple of years ago I went in for a hearing test before I got home from the doctor my emails were loaded with ads for hearing aids.

FYI, here is a paywalled four-year-old article from the New York Times. The lede says, “Google plans to abandon its longstanding practice of scanning user email in its Gmail service to serve targeted advertising.” The article also says, “The company will continue to serve ads in Gmail, which has more than 1.2 billion users, but it will target those ads based on information it has already gathered from other Google services like search or YouTube, instead of the content of email.”

So, no, they’re not going to target ads based on your email but Gmail is almost certainly not an approved way of transmitting PHI (protected or private health information).

Were you using Chrome? I’m trying to remember how much advertising-related “phoning home” it does.

I don’t routinely use it, and where I have to I have everything opted out. But if Chrome’s default options tattle everything you do on the web to Alphabet’s advertising engine, that could be a channel to leak medical info to advertising tailoring.

Thanks @Dewey_Finn , I need to look into new email options!!

So licensed Medical professionals/doctors are required by HIPAA or similar laws to not send emails to patients on gmail ? I think my doctor maybe out of compliance :grinning:

I’m not an expert, but I think it matters what the email is conveying. I get emails from my mail-order pharmacy or my dentist but little or no PHI is included. Or I’ll get messages asking me to login to the patient portal for the medical group where my PCP works. Once I do so, I can see PHI in a secure setting.

Also, what have you instructed your medical providers about how they can contact you? You might tell them that you live in a house with others and don’t want them calling the landline to leave a message because others can hear it. Or you might be fine with them leaving messages. I’m pretty sure part of the process is determining how you wish to be contacted.

Don’t know if it applies to any cases mentioned here, but doctors may notify medical device suppliers if they are recommending you need such a thing, and they don’t necessarily check with you first, although I object to such a practice. I do not like at all the idea, which may even be a HIPAA violation. The doctor’s office may not realize they are giving your name to a marketing company, not the direct supplier of products and you could end up getting a ton of spam as a result. The doctor may even have provided you samples they received from the company. The regulations have improved somewhat, they say, so far all I can see that changed is that drug reps don’t have free pens to give out anymore.

About a year ago, my blood sugar had risen to the low end of the pre-diabetic range. As a precaution my doctor prescribed a low dosage of Metformin.

A few months later, my health insurance company began sending me deals on test strips. Obviously they knew about the Rx and assumed I had Type 2 diabetes.

A few months after that, my work’s wellness program sends me information on some new diabetes monitoring program. I don’t have diabetes, damn it. OK, I guess technically we’re self-insured and just use Anthem as an administrator, so work got the info that way.

About a month ago I needed to use Chrome (normally I use Tor and Duck Duck Go) and sure enough, ads from CVS for test trips and a finger pricker. Not sure who sold them that information or where they scraped it.

I work in the industry. Google’s business model is to mine all your personal data and turn it into targeted ads. Google is pretty upfront and open about it. I personally would assume that by default and be skeptical that anything I do across the Google platform isn’t going into big data somehome, including health information.

Can you please provide a cite that Google’s business model relies on mining users medical data ?


Definitely. There are huge fines for violations.

All of my internet correspondences with my doctor are done through the health providers internal messaging system. I have to log into my account to read those messages.

But the health provider system does send me an email to my gmail account telling me I have a new message from the doctor and that I should log into to my health account to view it.

Are you certain? If I ask my doctor to contact me on gmail (by putting that on the form and saying it is my preferred method of contact), then I would think it is me exposing the information.