How insurance companies invented the data-mining of personal & medical information

America’s oldest credit reporting bureau experiments with criminal records, sexual deviations, financial status, & medical impairments.

Frank Sinatra — coded for “carrying on with a married woman.” (1938). Bill Gates —coded for driving without a license. (1977)

Insurance companies use massive amounts of information to profitably “underwrite” potential customers, thereby separating risky people from desirable people. To feed this insatiable appetite for intelligence, insurers access the most sophisticated credit reporting tools and deepest pools of private medical data on the planet.

Life insurance is arguably the most challenging financial product a law-abiding citizen can buy. After all, life insurance is essentially an investment on your life that only pays off when you die.

The life insurance shopper must confront the fragility of his or her own existence. The mental calculus of this purchase is unnerving — when am I going to die? What might be the cause of my death? And, how much is my life worth?

On the other side of the negotiating table, the insurer wants to calculate the probability of your death before it will invest in your life. However, insurance companies have concluded that asking customers to help guess their own time and manner of death is an awkward way to sell policies.

As a courtesy, insurance companies will predict your death for you. The professional Las Vegas oddsmakers who take bets for sports games call it “setting the spread.” Insurance companies call the process “underwriting.”

1. Authorizing the collection & use of your data

Insurance companies have pioneered the field of big data and personal analytics for more than 100 years. The Medical Information Bureau Inc. (also known as MIB Inc. and MIB Group Inc.) was founded in 1902 and is America’s oldest and longest continuously operating credit reporting agency.

Accessing 100 million records and growing weekly, MIB Inc. currently owns and monetizes, “North America’s largest database of medical conditions on insurance applicants. [Including] diagnosed medical conditions from attending physicians, lab test results, qualified physical exams, self-admitted medical conditions.”

MIB Inc.’s reach in the insurance industry is unparalleled. The corporate membership of the MIB Inc. accounts for 99 percent of the individual life insurance policies and 80 percent of all health and disability policies issued in the United States and Canada. (Collectively, these insurance companies manage trillions of dollars in assets.)

MIB Inc. keeps active credit report files for every authorized insurance customer within its member companies. Data collected and coded by the MIB Inc. may include medical conditions, driving records, credit history (finances), criminal activity, tobacco usage, alcoholism, drug addiction, participation in hazardous sports, and personal or family genetic history, among other facts.

An MIB Inc. privacy disclosure from Prudential Insurance Company

Legal consent allowing the MIB Inc. to use personal and medical information is granted by each individual applicant and policyholder. Such authorization should always be found within the individual’s signed application or policy renewal documents (often with signed documents names like “Application for Insurance”, “Important Notice”, or “Authorization to Release Information”).

Don’t sign if you don’t agree. Insurers will review your data to decide if you’re eligible for coverage and at what price. Your signature legally confirms your informed authorization and consent to allow information collection and data-mining (analytics).

The biggest challenges are data transparency and data accuracy. For the first-half of MIB’s history, from 1902 to the early 1970’s, the company operated in strict secrecy.

The MIB Inc. served, “a critical role in the lives of thousands of individuals, affecting not only their security but their finances as well. But many of those affected have little idea that the MIB played a part. This is partly by design.” The MIB Inc. even had an unlisted phone number.

Lack of data accuracy within individual medical report files hurts both buyers and sellers in the insurance market. Whereas 25% of the credit reports from the highly-scrutinized three major credit reporting agencies are plagued by “material errors”, the accuracy rate of consumer reports sold by all nationwide specialty consumer reporting agencies has never been publicly studied.

Legal experts are not optimistic. Similar nationwide specialty credit reporting bureaus selling employment and salary data, “haven’t had that level of scrutiny, so we don’t know what the level of accuracy is,” said Chi Chi Wu, an attorney with the National Consumer Law Center, and an expert on fair credit reporting law. “I would be surprised if it’s better.”

The Federal Trade Commission (FTC) issued a consent order to the MIB Inc. and all insurance company members in 1995. The order required the MIB Inc. to abide by the Fair Credit Reporting Act requirement that an individual be informed when a consumer report played any part in the insurer’s decision to deny coverage or to charge a higher rate.

The Fair Credit Reporting Act now requires nationwide specialty consumer reporting agencies, including the MIB Inc., to provide consumers with a free annual disclosure of their consumer report file.

2. Building the first cloud computing platform for credit reporting

Before “big data”, there was “big punch card.” The original MIB Inc. system was a manual, card-index operation. By the 1960’s, the MIB Inc. was processing 10–15 million information requests annually by printing individual paper cards on letterpress printing machines.

Joseph C. Wilberding, MIB Inc.’s former general counsel and chairman of the board, managed its first computer automation project. In a revolutionary decision for 1965, the Executive Committee and Chairman Wilberding concluded that computer technology was approaching “state-of-the-art” and could be harnessed to perform risk underwriting operations.

The MIB Inc.’s automated computing system came “on-line” in June 1970 and was maintained by the Univac Division of the Sperry Rand Corporation. The system was headquartered at a fully-computerized site in Boston and linked to 760 member insurance company locations via a, “vast communications network” in the United States and Canada.

Member insurance companies also had computer terminals located in their offices which permitted on-line, real-time access to the MIB Inc. central database file in Boston. The computer system utilized RCA hardware, two central processing units, automatic teletypes, and four mass storage units containing the personal impairment data.

“Strict security precautions were and are observed at the central computer site and only authorized personnel with proper badge identification are permitted within the operating area. The uninterruptible power supply was installed to provide a continuous operating environment in the event of external power failure…Copies of the MIB master file and other critical files are stored off-site to guard against damage or loss.”
Excerpted from, “The History of the Automated MIB System” by Joseph C. Wilberding, Executive Director and General Counsel, Medical Information Bureau. (1970)

In retrospect, the MIB Inc. created the world’s first corporate, cloud computing platform for credit reporting. (By comparison, ARPANET, the system widely considered as the progenitor of the global Internet, had only sent its first on-­line message nine months earlier.)

By 1971, the MIB Inc. central database files contained “medical impairment records on about 11 million individuals.” Each day, “about 80,000 inquires” were submitted by members for checking against the central computer file. (MIB received 20 million checking inquires from its insurance company members in 1979, the last year for which information is publicly available.)

Eventually, the MIB Inc.’s thirst for sensitive personal information and medical data attracted public controversy. Throughout the 1970’s, the MIB Inc. received, “widespread criticism from consumer advocates, civil liberties groups, and Congressional spokespersons.”

Americans were especially outraged that individuals were rejected or charged higher prices by insurance companies, but had no control or ability to correct their files in the MIB Inc. central database.

3. Congress responds to privacy concerns by enacting strong legislation

On October 3, 1973, Mr. Wilberding was called to testify before the U.S. Senate Banking Committee, Subcommittee for Consumer Credit in Washington, D.C.

Under questioning by Senator William Proxmire, Mr. Wilberding explained that, “his computers contained data on 11 million people, including information about their sex lives, drinking patterns, and drug use, plus “medical” data on such hazardous hobbies as auto racing and flying.”

Additionally, Wilberding testified member insurance companies had been collecting and selling credit reports containing coded information on, “sexual deviation” and “social maladjustments.”

In a lengthy follow-up interview with the Baltimore Sun, Mr. Wilberding explained that the MIB’s “sexual deviation” code was “aimed primarily at homosexuals.” Whereas the “social maladjustment” code, Wilberding said, “included individuals ‘who are predatory and follow more or less criminal pursuits, such as racketeers, dishonest gamblers, prostitutes, and dope peddlers.’”

“Insurance Data Called Faulty — Medical Information Banks Scored by Ex-FBI Agent” published Oct. 4, 1973

Based on MIB’s decades-long collection of these so­-called “sexual deviation” and “social maladjustment” codes, millions of Americans experienced discrimination and moral judgement at the hands of the insurance industry.

Often, these credit reports included the personal judgments of investigators laced with prejudice.

“In 1972, a man in San Francisco discovered that a consumer report about him for a life insurance policy included the comment that he used ‘his hands in an effeminate manner, also talks in an effeminate manner.’”
Excerpted from “Reputation Regulation: Disclosure and the Challenge of Clandestinely Commensurating Computing” by Frank Pasquale; Chapter 6 of The Offensive Internet – Privacy, Speech, and Reputation. Harvard University Press. (2010)

At that time, the Medical Information Bureau (MIB, Inc.) was under no legal compulsion to reveal itself or its activities to its customers.

In his Congressional testimony, Mr. Wilberding said that applicants for insurance policies weren’t told their personal data could be made available to the hundreds of insurance company members of the MIB Inc. Wilbering further insisted that applicants, “shouldn’t be told.”

Wilberding explained that disclosure, “could possibly interfere with the sale of the policy by the salesman, and would result in more paperwork.”

But, Wilberding promised, “member companies had given, their “word of honor” not to reject an insurance claim on the basis of MIB information” alone.

Privacy researchers have since uncovered, “countless reports [that] included the fact that a prospected insured was living ‘without benefit of wedlock’” and “unverified rumors of homosexuality.”

A researcher working on his Ph.D. thesis at Harvard Business School discovered that, “MIB had five codes for AIDS.” (See, “Nobody Knows the MIB” by Simson Garfinkel. Excerpted from Database Nation: The Death of Privacy in the 21st Century (2000): Reprinted in Information Privacy Law (2nd Edition) by Daniel J. Solove.)

Under intense public and regulatory scrutiny in 1974, the MIB Inc. claimed to end its practice of collecting information about “sexual deviation” and “social maladjustments.” (At present, the MIB Inc. no longer keeps codes for homosexuality, effeminate behaviors, bachelorhood, HIV acquisition, and a woman’s questionable ‘moral character’ for giving birth out of wedlock.)

Mr. Wilberding’s testimony also revealed, in that era, the MIB Inc. did not independently verify whether the personal information it collected and sold was accurate or truthful.

Written testimony from a former Allstate Insurance Company underwriter

Pennsylvania was the first state to take action. There, “MIB’s secrecy roused the ire of former Insurance Commissioner Herbert S. Denenberg,” who pushed through regulations requiring disclosure notices about MIB after February 1974. Commissioner Denenberg spoke to the frustration of many citizens.

“It’s fraudulent taking this information and not letting the public know what is going on. When you have this kind of information being gathered, there’s a question of security, a lot of faulty information and it’s hard to find and correct errors.”
Pennsylvania Insurance Commissioner, Herbert S. Denenberg (See also, Pa. Ins. Dept. Bulletins, Use of The Medical Info. Bureau by Life Ins. Companies, dated Feb. 15, 1974 & May 3, 1974)

In 1975, Congress voted in 1975 to strengthen the Fair Credit Reporting Act. Due to the public outrage over the MIB Inc.’s practices, Congress specifically expanding the scope of the law to include “medical information” in credit reports.

4. Capitalizing on a new era of intesive credit scoring

The MIB Inc. central database now runs on modern cloud computing infrastructure. These days, the MIB Inc. central file database is more like Google for people’s pre-existing medical conditions and secret personal afflictions.

Upon the written authorization of a customer, the underwriter can efficiently access personal and medical information through the MIB Inc. web-portal. Within the MIB Inc. portal, the underwriter can: locate anyone’s MIB Inc. database file; evaluate the medical report data; request more details from other insurance companies; program alerts to automatically track the applicants’ possible undisclosed conditions for two years into the future; and sleuth out frequent-shoppers acquiring too much life insurance.

Your personal “Stress Index” score by LexisNexis

Although the MIB Inc.’s medical database is North America’s largest, its not the only source that insurers exploit. Another nationwide specialty consumer reporting agency, ExamOne (a Quest Diagnostics Company), has prescription drug records on more than 200 million Americans.

ScriptCheck, offered by ExamOne, a subsidiary of Quest Diagnostics, is yet another example of data mining — using sophisticated programs to scour databases in search of people’s personal information and then selling that info to interested parties.
And thanks to ScriptCheck, the insurer doesn’t have to give things a second thought. By purchasing this or a similar service, the insurer can be notified of all prescriptions you’ve filled in recent years, regardless of how you paid.

To collect billions of drug files daily, ExamOne hosts its own servers directly in the data centers of pharmacy benefit management companies.

With ExamOne’s “ScriptCheck” data product, underwriters have instant online access to the past seven years of individual prescription history reports, including: the drugs and dosages prescribed; dates filled and refilled; the therapeutic class; and the name and address of the prescribing doctor.

ScriptCheck by ExamOne also uses predictive modeling to provide insurers a “pharmacy risk score,” or a number that represents an “expected risk” for a group of people. As a warning to underwriters, higher scores signal higher potential costs.

An investigation by the Federal Trade Commission in 2007 found that ExamOne (aka, Ingenix/ MedPoint/ OptumInsight) and Milliman Inc., a similar prescription history credit reporting agency, had, “violated federal law for years by keeping the system hidden from consumers.”

Nevertheless, the federal and state credit reporting regulations that establish, “fairness, impartiality, and a respect for the consumer’s right to privacy” only provide consumer protection and relief if vigorously enforced. (15 U.S.C. § 1681(a)(4))

Prior to the passage of the Affordable Care Act, two-thirds of all health insurers were, “using prescription data — not only to deny coverage to individuals and families but also to charge some customers higher premiums or exclude certain medical conditions from policies, according to agents and others in the industry. Some carriers were also using the data to charge small employers higher group rates.”

More often than not, an individual’s first exposure to specialty credit reporting agencies is from a denial or rejection letter by an insurance company. The U.S. Supreme Court enumerated this challenge for individuals.

“It is the adverse action notice [denial or rejection letter] that generally triggers the consumer’s role. In the absence of such notice, there may be nothing to alert the consumer to check the report and no information as to how to check a report.”
Safeco Insurance Co. v. Burr, 551 US 47, 127 S.Ct. 2201, 167 L.Ed.2d 1045 (2007))

Notably, the Fair Credit Reporting Act provides a special protection for consumer credit reports containing “medical information”. (FCRA § 604(g)) The MIB Inc. and member insurers must obtain an individual’s written authorization prior to checking a medical credit report.

5. Fighting for fairness in data access and control

Consumers are constantly treading water in a dangerous ocean of their own medical and personal data.

Richard Cordray, Director of the Consumer Financial Protection Bureau (CFPB) has warned, “nationwide specialty consumer reporting agencies can have great influence over a consumer’s tenancy, insurance premiums, [checking accounts], or even employment.”

Before attempting to out-negotiate an underwriter about the value of your own life, you can potentially save thousands of dollars with a little paperwork. A proactive consumer will conduct the following protective actions:

  1. Contact each relevant specialty reporting agency to request free annual file disclosures (just like your credit reports, you’re entitled to specialty consumer reports annually for free, too);
  2. Verify all information delivered in those file disclosures;
  3. Read any insurance applications, scrutinizing for the “privacy” or “medical underwriting” notices; and
  4. Read any follow-up correspondence from the insurance company, taking specific note of any “adverse action” notices.

By the CFPB’s own estimate, there are approximately 400 companies operating as nationwide specialty consumer reporting agencies in the United States. Yet, the CFPB’s official list of credit reporting agencies contains less than 50 of those companies.

The CFPB has put everyone on notice that, as the chief privacy officer of your own life, checking “specialty consumer reports” is officially your responsibility.

ADDITIONAL RESOURCES—HOW TO REQUEST A SPECIALTY CREDIT REPORT

1. The Medical Information Bureau, Inc. (MIB Inc.)

The FTC has determined that MIB Inc. is a nationwide specialty consumer reporting agency because “MIB reports bear on consumers’ personal characteristics, and they are used in whole or part for the purpose of serving as a factor in establishing consumers’ eligibility for insurance.”

Federal and state laws grant individuals the right to freely request disclosure of a specialty credit report file from MIB Inc. (This request shall be without charge once every 12 months. A request shall also be free following an “adverse action”, denial of coverage, or registered identity theft.)

Contact the MIB Inc. to request

  • Telephone: 1-­866-­692­-6901
  • Postal Mail: MIB Inc., 50 Braintree Hill Park ­ Suite 400, Braintree, MA 02184
  • Online: www.MIB.com

2. ExamOne, a Quest Diagnostics Company

The FTC has determined that ExamOne is a nationwide specialty consumer reporting agency because ScriptCheck reports, “bear on consumers’ personal characteristics, and they are used in whole or part for the purpose of serving as a factor in establishing consumers’ eligibility for insurance.”

Federal and state laws grant individuals the right to freely request disclosure of a specialty credit report file from ExamOne, a Quest Diagnostics Company (aka, Ingenix, OptumInsight). (This request shall be without charge once every 12 months. A request shall also be free following an “adverse action”, denial of coverage, or registered identity theft.)

Contact ExamOne to request

  • Telephone: 1–844–225–8047
  • Postal Mail: ExamOne Headquarters, Attn: ScriptCheck Consumer Report Disclosure Compliance Department, 10101 Renner Blvd., Lenexa, Kansas 66219

3. Milliman Inc.

The Federal Trade Commission has determined that Milliman Inc. is a nationwide specialty consumer reporting agency because IntelliScript. reports, “bear on consumers’ personal characteristics, and they are used in whole or part for the purpose of serving as a factor in establishing consumers’ eligibility for insurance.”

Federal and state laws grant individuals the right to freely request disclosure of a specialty credit report file from Milliman Inc. (This request shall be without charge once every 12 months. A request shall also be free following an “adverse action”, denial of coverage, or registered identity theft.)

Contact Milliman Inc. to request

  • Telephone: 1–877–211–4816
  • Postal Mail: Milliman IntelliScript, Attn: FCRA Compliance Department, 15800 Bluemound Road, Suite 100, Brookfield, WI 53005


Joel Winston, Esq. is a New York-based attorney specializing in consumer protection law and commercial litigation. He also provides data privacy and regulatory compliance counsel to technology entrepreneurs and early-stage ventures. Joel is a former deputy attorney general for the State of New Jersey and previously served the Department of Justice, Office of the U.S. Trustee, in Manhattan.