Something very strange happened to me recently. I ordered some groceries from Amazon Fresh. When checking out, Amazon suggests other things you may want to buy, usually related to your purchase. But this time, Amazon offered “treatments for high cholesterol” along with a link for a medical consultation on Amazon One, as well as links to prescription medications.
This is weird, because my doctor and my wife are the only ones who know my cholesterol numbers. And they’re pretty good, too! But there are certainly data points, including my age, food preferences and past purchases, maybe even news reports I’ve read elsewhere on the internet, that might suggest I’d be a good candidate for a statin, the kind of cholesterol-lowering drug Amazon recommended to me. And while I’m used to Amazon recommending books I might like or cleaning products I might want to buy again, pushing prescription drugs on me was pretty creepy.
It’s entirely possible that the Amazon recommendations I saw on this particular grocery order were coincidental. The next time I ordered groceries, the app recommended bacon, not statins. At first, I thought it might be a test or a bug on Amazon’s part, but when I asked what was behind the recommendations, the company confirmed it was a feature, not a bug.
“Amazon displays products that may be related or similar to the item currently being purchased,” Amazon spokeswoman Samantha Kruse said in an email. “Protected health information from Amazon Health Services, including Amazon One Medical and Amazon Pharmacy, is not used to market or promote general merchandise in the broader Amazon store.”
In other words, Amazon may use information from your purchases to suggest prescription drugs to you, but it will not use your protected medical information to sell you other goods.
The mere fact that Amazon is targeting me for a health issue draws attention to the disturbing amount of information Amazon has gathered from my online activity—and to the fact that Amazon is a healthcare company that can collect vast amounts of data and pressure customers into treatments accordingly.
It’s perhaps no surprise that Amazon operates with an enormous amount of data about us and our purchases. But over the past four years, Amazon has launched its own pharmacy business and bought One Medical, a primary care startup that could connect Amazon customers directly with doctors.
It’s clear that Amazon’s ambitions in the healthcare space are massive. We don’t yet know exactly how this will change the Amazon shopping experience for everyone—but perhaps my recent shopping experience was a preview.
Before I get too worked up about Dr. Amazon, let’s take a closer look at what the retail giant knows about its customers and how.
Amazon is known as the “everything store,” where you can buy everything from battery acid to statins. Like most websites, Amazon collects data about your activity on the site—the things you buy, the things you don’t buy, and the things you’re considering buying. Based on these interests, Amazon builds a profile and uses algorithms to recommend things you might want to buy next. Amazon is proud of these algorithms. (The total amount of data Amazon collects about you goes way beyond your shopping habits, by the way.)
And then there’s Amazon’s booming ad business. The company’s advertising arm now competes with the duopoly of Google and Meta that has dominated online advertising for years, in part because of the vast amount of data Amazon has on what people buy, what they watch, where they live and so on. Amazon says it uses “cookies, pixels, IP addresses and other technologies” to target those ads, which is why you can find Amazon tracking bugs on sites across the web. These trackers could know, for example, whether I looked up a health-related question on WebMD and use that data to customize recommendations on Amazon, says Christo Wilson, a computer science professor at Northeastern University.
“There may be an Amazon tracker lurking on the site, monitoring what you’re doing, and that’s how you might end up seeing these kinds of crazy ads,” Wilson told me.
Or, more likely, maybe it was just a pattern in my shopping history. My grocery order that triggered the recommendation for a cholesterol-lowering drug included shredded cheese, salsa, tomatoes, flour tortillas—and most importantly, ground chicken. Was that a clue? It’s a heart-healthy alternative to ground beef, after all, and taco night was coming up. I also bought the fat-free version of Coffee Mate French Vanilla coffee creamer, which is delicious and cholesterol-free. But do these purchases make me an obvious target for cholesterol counseling from Amazon One Medical? And should my Amazon purchases even be associated with Amazon’s healthcare services?
Amazon One Medical is a relatively new service. Amazon bought One Medical in 2022 and combined it with its telemedicine service Amazon Clinic earlier this summer. Now, Prime members can pay $99 a year to get access to Amazon One Medical. For $5 a year, Prime members can access discounted medications with the Amazon Pharmacy RxPass. While I’m a Prime member, I’m not an Amazon One Medical customer and don’t use Amazon Pharmacy. So, given my choice of healthy tacos, an algorithm might suspect that as someone who proactively takes care of their healthcare needs, I might be interested in Amazon’s healthcare offerings.
When Amazon bought One Medical, the FTC and others raised concerns about Amazon’s incursions into the healthcare industry and the potential impact on sensitive health data. Around that time, The Washington Post reported that customers waived some of their rights regarding their health data when they signed up for Amazon Clinic. None of this calmed my question about whether it was legal for Amazon to use my complex purchase history to target me with healthcare products.
As far as I know, Amazon can. HIPAA, the federal health care privacy law, is narrower than most people think. It applies only to health care providers, insurers and companies that manage medical records. HIPAA requires these companies to protect your data as it is exchanged between them, but according to Suzanne Bernstein, a legal assistant at the Electronic Privacy Information Center (EPIC), that doesn’t apply to your purchases on Amazon.
“This background is especially important as Amazon and other companies continue to collect, process and use enormous amounts of consumer health data that falls outside the scope of HIPAA,” Bernstein said. “And it’s not the fault of American consumers that they don’t necessarily know all this.”
In the absence of any federal protections, some states have passed their own privacy laws. California may be best known for giving its citizens more control over their data, but Washington state changed the conversation around health data privacy last year with the passage of the My Health My Data Act. That law defines consumer health data much more broadly, Bernstein explained, to cover any information about a consumer’s past, present or future health condition. That could mean Washington residents have a right to privacy if their Amazon purchases indicate a health condition. So far, it’s unclear how the law might apply to Amazon, which is based in Washington.
I’m still trying to process my recent experience with statins on Amazon and I still have more questions than answers. Does Amazon plan to regularly target its customers with prescription drug recommendations? Am I the only one who finds this more intrusive than convenient? Or does Amazon know what people really want, even if it feels a little creepy at first?
I can’t know the answers to these questions, but I do know one thing: taco night with heart-healthy ground chicken is a hit.
A version of this story was also published in the Vox Technology newsletter. Register here so you don’t miss the next one!