That might be interesting indeed, but it does bring up another question. Is this form for other forms of communication as well? Such as postal mail? Is it a way for all customers including those do not have an online account to opt-out of marketing communications? If it is, how else could they implement something like this?
As someone who gets hit by reverse identity theft[1] regularly, I'm convinced that requiring anything other than "proof that the email address is actually yours" makes you scum. If your only point of contact with a customer is an email address that isn't actually theirs, they aren't getting your communications anyway. And with that, I'm off to call a hospital I've never been to because they don't even have an unsubscribe link or any email point of contact at all.
