Spam Filter Failure: Selling Physician Emails Equals Big $$

Kate Hitchcock, MD, PhD


December 09, 2021

Despite the best efforts of my institution's spam filter, I've realized that I spend at least 4 minutes every day of the week removing junk email from my in basket: EMR vendors, predatory journals trying to lure me into paying their outrageous publication fees, people who want to help me with my billing software (evidently that .edu extension hasn't clicked for them yet), headhunters trying to fill specialty positions in other states, market researchers offering a gift card for 40 minutes filling out a survey.

If you do the math, 4 minutes daily is 1460 minutes per year. That's an entire day of my life lost each year to this useless nonsense, which I never agreed to receive in the first place. Now multiply that by the 22 million healthcare workers in the US, or even just by the 985,000 licensed physicians in this country. Then factor in the $638 per hour in gross revenue generated by the average primary care physician, as a conservative, well-documented value.

By my reckoning, these bozos owe the US alone over $15 billion in lost GDP each year.

So why don't we shut it down!? The CAN-SPAM act of 2003 attempted to at least mitigate the problem. It applies only to commercial entities (I know, I'd love to report some political groups, too). To avoid violating the law and risking fines of up to $16,000 per individual email, senders must:

  1. Not use misleading header info (including domain name and email address)

  2. Not use deceptive subject lines

  3. Clearly label the email as an ad

  4. Give an actual physical address of the sender

  5. Tell recipients how to opt out of future emails

  6. Honor opt-out requests within 10 business days

  7. Monitor the activities of any subcontractor sending email on their behalf

I can say with certainty that much of the trash in my inbox violates at least one of these. But that doesn't matter if there is not an efficient way to report the violator and ensure that they'll be tracked down. Hard enough if they live here, impossible if the email is routed from overseas, as much of it clearly is.

If you receive email in violation of the act, experts recommend that you write down the email address and the business name of the sender, fill out a complaint form on the Federal Trade Commission website or send an email to, then send an email to your internet service provider's abuse desk. If you're not working within a big institution like mine that has hot and cold running IT personnel that operate their own abuse prevention office, the address you'll need is likely abuse@domain_name or postmaster@domain_name. Just hitting the spam button at the top of your browser/email software may do the trick. There's more good advice at the FTC's consumer spam page.

The people not violating the law, though, are wasting my time every bit as flagrantly. How are they getting my email address in the first place?

The answer came, ironically, to my email inbox in the form of one of those emails that did indeed violate the law.

I rolled my eyes and started into my reporting subroutine but then stopped cold. Just one second. If this person is selling lists of email addresses of conference attendees, somebody within the conference structure must be providing them. How is that legal? I have never agreed, in registering for a medical conference, to allow them to share my email address with anyone. To think that they are making money from that is extremely galling.

Vermont, at least, has enacted a law requiring companies that traffic in such email lists to register with the state. Although it has been in effect for 2 years, the jury is out regarding its efficacy. Our European counterparts are protected by the General Data Protection Regulation, which specifies that commercial email can only be sent to individuals who have explicitly opted into such mailings, and that purchased email lists are not compliant with the requirement.

Figure: A quick Google search gives 120 million hits on ways to purchase physician email lists.

Anybody have the inside scoop on this? Can we demand that our professional societies safeguard their attendee databases so this won't happen? If they won't, why am I paying big money to attend their conferences, only for them to make even more money at my expense?

I'd love to hear your thoughts in the comments.

Follow Medscape on Facebook, Twitter, Instagram, and YouTube

About Dr Kate Hitchcock
Kate Hitchcock, MD, PhD, is a radiation oncologist, biomedical engineer, and retired aircraft carrier driver who grew up as a Wyoming cowgirl. When she is not at the hospital, you can find her with Carolyn, Mary, Tyler, Nick, Marlee, and Colby the barking dog, enjoying the natural splendor of the great state of Florida. She thinks you should visit sometime and try to solve the puzzle of why the natives have so carefully shunted all of the tourists toward the House of Mouse. Connect with her on Twitter: @hitchcock_kate


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.