In one sense, they probably are "legit". They are likely above-board in collecting assorted information (credentialing, etc) and selling it to other legitimate companies that have a legal need for it.
On the other hand, as John points out, they are part of a very profitable HIT sector that buys and sells information about us, to the benefit of everyone except us.
Ask anyone 10 years old and up and they will tell you: if an unsolicited person asks you for information in an email or online, don't give them your name, address, SS#, etc, etc. It is likely spam, phishing, or worse. Somehow in healthcare we have grown so accustomed to handing out this information that we may produce it too willingly or without some compensation. If part of your contract with an insurance company says that you will freely provide this information to their designated go-between (like Enclarity) then you may have to do so. Otherwise, tell them "no thanks" or if you choose, quote a price of what it will cost them to get the information. Just my two cents.
