There is a conspiracy of sorts to learn everything possible about you and sell your information to those who may profit from it. That information includes information about your health concerns. The Health Insurance Portability and Accountability Act (HIPAA) was supposed to make personal health information confidential. We’ve all likely experienced being told by a doctor’s office staff they can’t receive email because it could possibly violate HIPAA, since a third party may be able to intercept it. (I’m not sure why the fax machine is seemingly exempt.) Yet, despite these precautions there is a thriving business in personal health data.
Drug discount card purveyors are accused of making money on the side by selling our prescription data. Google keeps track of searches and can target advertising based on health conditions we search for. Recently, researchers at Duke University set out to see what they could buy from data brokers about people with mental health conditions. They founds it’s easy to buy.
The research, conducted over the span of two months at Duke University’s Sanford School of Public Policy, which studies the ecosystem of companies buying and selling personal data, consisted of asking 37 data brokers for bulk data on people’s mental health. Eleven of them agreed to sell information that identified people by issues, including depression, anxiety and bipolar disorder, and often sorted them by demographic information such as age, race, credit score and location.
Aggregated data is thousands of peoples’ preferences summed up with individual preferences and conditions redacted. Aggregated data is of little use to advertisers. The data Duke was offered wasn’t aggregate data. It was personally identifiable information with specific conditions.
Some of the brokers were particularly cavalier with sensitive data. One made no demands on how information it sold was used and advertised that it could offer names and addresses of people with “depression, bipolar disorder, anxiety issues, panic disorder, cancer, post-traumatic stress disorder, obsessive-compulsive disorder and personality disorder, as well as individuals who have had strokes and data on theirs races and ethnicities,” the report found.
The Duke University report went on to say the data industry lacks best practices in the area of privacy, vetting which data buyers can access and scrutinizing their intended use. That’s a way of saying anybody can buy the data and use it for any purpose. The mail-order pioneer of his day, Aaron Montgomery Ward, famously said that everything at Montgomery Ward was expendable except his list of mail-order customers. If lost those could not be replaced. It wasn’t enough to know thousands of people in the Midwest liked specific products. He needed to know who was buying his products. The same is true with health data. Data on people with personally identifiable information is valuable to advertisers.
Data brokers, which deal in the buying, repackaging and selling of people’s identifying information and details about them, has grown into a thriving but shadowy industry. Companies in the industry are rarely household names and often say little publicly about their business practices.
Why does HIPAA not protect the data of mental health patients? It does, but only under certain circumstances and only by some entities.
Some medical information can be protected with laws like the Health Insurance Portability and Accountability Act, commonly known as HIPAA. But HIPAA applies only when that information is held by a specific “covered entity,” such as a hospital or certain kind of health care organization.
Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy who runs its data brokerage project and oversaw the report, said other entities that store health data, including most phone apps, aren’t regulated through HIPAA, leaving data brokers with a number of options to legally purchase such data.
“There are many, many places where this data could have come from, because so many entities are not covered by HIPAA’s health data sharing constraints,” Sherman said.
How the data brokers were able to obtain and repackage mental health information was beyond the scope of the report. However, in 2021 a Consumer Reports investigation found that some mental health apps were selling personal information to advertisers. The bottom line is that just about everything about us is fair game for data brokers selling information to advertisers. This includes our purchasing habits, our web surfing and our health maladies.