User Data Sold by Brokers, Privacy at Risk
In the last few years, the demand for mental health care skyrocketed, leading many Americans to rely on software-based virtual health and wellness apps. To register, users typically provide personal and medical histories and complete mental health assessments, similar to a doctor’s office visit.
However, there is limited federal oversight to ensure data privacy. A 2023 Duke University report discovered data brokers selling information that identified individuals by their mental health diagnoses, such as depression, anxiety, and bipolar disorder. While many brokers removed personal details, some still included names and addresses of those seeking help.
“We uncovered data brokers selling a range of data about all kinds of mental health conditions dealt with by Americans ranging from depression and anxiety to PTSD, OCD, people battling trauma, and even actually, people who had suffered strokes…”– Justin Sherman, Senior Fellow, Duke Sanford School of Public Policy
Below are some of the “key findings” discovered during the investigation:
- Out of the 37 data brokers contacted for this report, 11 were willing and able to sell mental health data, with unclear deidentification or aggregation practices.
- The 10 most engaged brokers advertised highly sensitive mental health data, including information on depression, ADHD, bipolar disorder, ethnicity, age, gender, and more.
- Pricing for mental health data varied, with one broker charging $275 for 5,000 aggregated counts, while others charged upwards of $75,000 or $100,000 per year for subscription access!
- Some brokers imposed data use limitations on the sale of mental health information, ranging from “single-use” to “multi-use” based on the firm and the product purchased.
- Upon examining privacy policies, it seems that data brokers are generally hesitant to provide their customers with access and transparency concerning the collection and modification of personal information.
Is Your Health Data Protected by Health Tracker Apps?
The study carried out by Duke University found that, in some instances, names, addresses, emails, and even race and ethnicity data, along with the number of children in the household, were attached to the information. Most Americans assume their health data is always protected, but this is not the case.
Numerous companies not governed by strict health privacy regulations can legally collect, share, and sell such data. This allows advertising firms, pharmaceutical companies, and health insurance providers to access and use this data for purposes such as targeted advertising, consumer profiling, and potentially determining health plan pricing.
In some states, like California, consumers can request that their information not be sold under specific circumstances, thanks to state privacy laws. However, not all states have such regulations, and no federal law is applicable nationwide.
The main issue is that most people are unaware that their data is being collected and sold in the first place. Furthermore, even if individuals were aware, identifying every data broker to request the cessation of data sales would be challenging.
The obscurity of the market and the clandestine operations of many companies make it extremely difficult for consumers to take action without more robust privacy regulations from the government.
Fitness Tracker Apps
Data breaches can expose sensitive information from fitness trackers, which connect to users’ phones via Bluetooth and are vulnerable to hacking. Although not considered “health information” under federal or state laws, personal data from fitness trackers can be shared or sold to third parties like data brokers or law enforcement.
Additionally, some providers may use the collected data for ad revenue. To protect privacy, consumers should review the provider’s terms of service before purchasing a fitness tracker and ensure there’s an option to opt out of data sharing if desired.
Weight Loss Apps
Privacy International estimates that the average weight loss app asks users at least 50 questions related to their mental and physical health as well as their medical profile. The organization discovered that many also actively shared all consumer data with analytics firms.
In October 2020, Noom, a popular weight loss app, and a related consumer data analytics firm, faced a lawsuit accusing them of illegal wiretapping, eavesdropping, and invasion of privacy for tracking users’ actions on the app. A judge later dismissed the case.
Fullstory defended itself by stating that the weight loss app’s embedded script for collecting information was temporarily downloaded onto users’ devices and active only while connected to the website, being deactivated or deleted afterward. Yet, despite the lawsuit’s outcome, the legal challenge highlights concerns over this kind of commercial data sharing.
Period Tracker Apps
Using menstrual cycle tracking apps can provide useful predictions, but they also collect sensitive data, potentially even more than users realize. These apps may gather information about sexual activity, pregnancy attempts, and miscarriages.
In 2020, Consumer Reports found that five popular period tracker apps stored users’ data in the cloud without guaranteeing that it wouldn’t be shared with third parties.
Privacy concerns have risen as this data could be used to target users with ads, impact life insurance coverage, or loan interest rates. With the overturning of Roe v. Wade, users may worry that fertility and period data could be used against them as evidence of abortion in legal proceedings. This data could also expose people to civil liability in states like Oklahoma and Texas.
Consumer Reports’ Digital Lab evaluated four privacy-focused period tracker apps: Drip, Euki, Lady Cycle, and Periodical. They looked for two key privacy features: local data storage and no third-party tracking services.
Comparing these to four other popular apps, they recommended Drip, Euki, and Periodical, which provide these privacy protections.
Are Mobile Health Apps Regulated?
If you’re concerned about privacy, especially after Google’s acquisition of Fitbit, it’s essential to monitor where your health and fitness data goes and who has access to it. Wired magazine recently ran an audit to see if wellness data is kept private or shared only by choice. Here’s a look at what their study found as it relates to some of the most popular health tracker apps.
For Apple Health, ensure your data is encrypted, and review permissions for linked apps. You can disconnect apps and delete data shared with Apple Health. Check data sharing with others and remove friends if necessary. Disable Fitness Tracking in iOS Settings to block Apple Health’s access to phone sensors.
Does HIPPA Apply to Apps?
When it comes to mobile apps, HIPAA may apply if the app is developed, managed, or used by a covered entity or a business associate, and if the app handles PHI. For example, if an app is used by a healthcare provider to store, process, or transmit PHI, such as patient records, appointment details, or prescription information, it would likely be subject to HIPAA regulations.
However, not all apps that collect or deal with health-related information are subject to HIPAA. Apps that are designed for individual use and do not involve a covered entity or business associates, such as fitness trackers or personal health diaries, may not be subject to HIPAA.
Ultimately, determining whether an app is subject to HIPAA will depend on its specific use case and the relationship between the app developer, the users, and any covered entities or business associates involved. Developers of health-related apps should carefully assess their obligations under HIPAA and ensure that their app is compliant if necessary.
Does Our Healthcare App Need to be HIPAA-Compliant?
A healthcare app needs to be HIPAA-compliant if it deals with protected health information (PHI) and is used by a covered entity or business associate. Covered entities include healthcare providers, health plans, and healthcare clearinghouses, while business associates are third-party companies that access, store, or transmit PHI on behalf of a covered entity. If an app manages, stores, or transmits PHI for these organizations, it must adhere to the privacy and security rules established by HIPAA to safeguard patient data.
Is an App Considered a Medical Device?
Based on the FDA’s definition, an application is deemed a medical device if utilized in detecting, curing, mitigating, treating, or preventing diseases.
The surge in demand for mental health care during the pandemic has led to increased reliance on health and wellness apps. While these apps offer support and convenience, they also raise significant data privacy concerns. The lack of robust federal regulations leaves users vulnerable to having their personal health information sold or shared by data brokers and third parties.
This affects targeted advertising and consumer profiling and may also have implications on health plan pricing and legal liabilities. It is crucial for users to be vigilant about the apps they use, review privacy policies, and stay informed about their rights under state and federal laws. Ultimately, more comprehensive privacy regulations and increased public awareness are needed to ensure the protection of consumers’ sensitive health information.
- CNBC, Cheryl Winokur Munk; “The Biggest Security Risks of Using Fitness Trackers and Apps to Monitor Your Health,” November 2022.
- Consumer Reports, Catherine Roberts; “These Period Tracker Apps Say They Put Privacy First. Here’s What We Found,” May 2022.
- PBS, William Brangham and Sarah Clune Hartman; “Personal User Data from Mental Health Apps Being Sold, Report Finds,” February 2023.
- Privacy International; “What exactly are dieting apps doing with all your data?,” August 2021.
- Duke University; “Data Brokers and the Sale of Americans' Mental Health Data,” February 2023.
- Wired Magazine; “How to Lock Down Your Health and Fitness Data,” November 2019.