Of all the information available about you online, you'd probably think details about your health would be safe.
Think again.
It turns out that if you've done any research on your ailment online - even on a trusted government website - it's quite possible your health info is now public and up for sale to anyone who wants it.
Information on Vanessa Pembleton cost us 50 cents. We bought the list Pembleton is on from a marketing website, Nextmark.com.
When asked what she thought about this, Pembleton replied, "I think it's a violation of personal information."
Along with names we were able to obtain addresses, ages, emails, number of children, children's ages, and income.
We also got health information.
We paid $500 for a list of 500 diabetes sufferers and 500 asthma sufferers in Philadelphia.
Pembleton was on the asthma list.
"My asthma right now is dormant and has been for like 30-plus years, so I'm really surprised that I still reflect on that list," she said.
Timothy Libert at the University of Pennsylvania has discovered how much of your health information is getting leaked.
Libert says inside a web page are pieces of code you never see.
"What these pieces of code do is actually send your information to all these other parties, who don't want you to know they are doing it," he said.
He's analyzed more than 80,000 health-related websites like WebMD.com and CDC.gov, the website for the Centers for Disease Control and Prevention.
"90 percent had tracking, so pretty much it doesn't matter what your illness is, how severe it is, how personal and private, it's going to be known by other parties," Libert said.
Those parties include online advertisers as well as data brokers, companies that collect and sell your information.
For example Experian, the company you know for monitoring your credit, is also a major data broker.
"It's entirely possible that Experian can tell the last medical bill you couldn't pay and the first time you looked up your symptoms," said Libert.
Remember the lists we bought? The company that sold them to us is Exact Data.
Its CEO tells me Exact Data only re-sells information.
You know who it buys that information from? You guessed it: Experian.
"What we really need to do is extend the health privacy to the web and there needs to be some laws about this," said Libert.
And aside from the obvious concern of this information ending up in the hands of criminals, Libert says there a number of other potential problems with ending up on one of these medical lists.
"That's sort of a judgement that's being made about you, your life, whether or not you're valuable to a company," he said.
You could be labeled a commercial risk or "waste." That could mean a retailer might deny you a membership, discount or promotion, or an insurance company might require you to pay a higher rate.
And what if the list is wrong?
Sergio Blanco is on the diabetes list, but he says he doesn't have diabetes..
However, as a nutritional educator, his wife searches the web for a lot of diabetes information.
"Every time the word diabetes comes up, "Boom" a new customer," he said, "And it's not quite right."
Experian tells us, "This data is self-reported by the consumer, and a notice is provided that informs the consumer the information will be used for marketing purposes.
Full statement from Experian:
"Experian Marketing Services collects and shares data that reflects ailments reported voluntarily by consumers. This data is used only for marketing purposes. This data is self-reported by the consumer, and a notice is provided that informs the consumer the information will be used for marketing purposes. Additionally, a consumer has the opportunity to opt-out of receiving marketing offers. It is also important to note that, by law, Experian maintains strictly segregated databases. This means our consumer credit database is kept separate and apart from our marketing databases, and there is no commingling of data. The credit database is governed by the Federal Fair Credit Reporting Act. The marketing database is governed by a multitude of state and federal laws and regulations, and by enforceable industry codes."
You can opt out of some data broker/marketing/online advertising lists but you have to go to each individual company website. More info here:
https://www.worldprivacyforum.org/2013/12/data-brokers-opt-out/