Looking for lists of people with depression, anxiety, bipolar disorder, PTSD, or OCD? No problem. There are lots of companies who would love to sell it to you. They can even include names, emails, home addresses, income, ethnicity, and details about people’s children. It’s cheap too, with minimum purchases of just hundreds of dollars. One company offers records on the mental health of 10,000 people starting at $0.20, with a discount if you buy in bulk.
A new study published by Duke University’s Sanford School of Public Policy found nearly a dozen data brokers offering to sell mental health data at rock bottom prices, often with almost no vetting of the person trying to buy the data and minimal restrictions on how the information is used. Many implied they can provide identifiable details like names and contact information.
In the shadows of the internet, an ocean of data brokers scrape up the information that many of us don’t even realize we’re leaving behind and repackage it for advertisers or anyone else who wants it. Many people assume there are laws that protect the most sensitive parts of our lives. That is not the case.
“There are data brokers which advertise and are willing and able to sell data concerning Americans’ highly sensitive mental health information,” author Joanne Kim said in the report. “The research is critical as more depressed and anxious individuals utilize personal devices and software-based health-tracking applications,” which are not covered by HIPAA.
You read that correctly. HIPAA, the Health Insurance Portability and Accountability Act, does not protect your medical privacy. Its health data rules only apply to “covered entities,” which generally means doctors and health care providers, insurance companies, and businesses who work with them directly.
But there are plenty of ways you give away your medical secrets when you aren’t interacting with health care providers and insurance companies. Mental health apps, visits to sites like WebMD, and even prescription discount services like GoodRx harvest information about your medical ailments, with zero protections from HIPAA. Regulators are only just starting to step in and do something about it, and it isn’t even clear whether US law gives them the authority.
Kim contacted 37 data brokers asking to buy mental health data. 26 wrote back, and ultimately 11 of them were willing to sell the data. The study doesn’t name any data brokers due to confidentiality agreements the brokers asked for during Kim’s discussions.
One data broker was so eager that sales representatives repeatedly called Kim’s phone when she was slow to respond to emails.
The requests included a “Data Elements Wish List,” including specific ailments like depression and anxiety common antidepressants like Zoloft, Lexapro, and Prozac. The industry was happy to oblige.
Collectively, the data brokers offered a wide variety of information going far beyond Kim’s requests, including data on DNA tests, insurance plans, connected medical devices, the costs of medical procedures, data on abortion clinics, details about people’s ability to pay for care, and a long list of other information.
The data brokers also pair such data with other information like social security numbers, credit scores, net worth, unrelated retail purchases, details about pets and children in the house, exercise habits, criminal records, and religion (including data sets with names like “active living Jews”).
This isn’t the first time the data broker business was caught selling sensitive health information. Just after the Supreme Court overturned Roe v. Wade, a Gizmodo investigation found dozens of data brokers selling 2.9 billion profiles of U.S. residents pegged as “actively pregnant” or “shopping for maternity products.”
The Federal Trade Commission just took groundbreaking steps to address our rampant health privacy problems, but the effort is on shaky ground. At the beginning of February, the FTC reached a settlement with GoodRx, fining the company $1.5 million for sending users’ prescription data to Google and Meta (owner of Facebook). Essentially, the settlement is an attempt to declare that it’s illegal to use health data for advertising without explicit consent.
However, it’s not clear whether that will hold up in the long run. The FTC has the authority to regulate “unfair and deceptive trade practices,” and the GoodRx settlement uses that power as a legal justification to wade into health privacy. But we don’t know whether that legal argument can survive a court battle, because the FTC and GoodRx settled instead of going to court.
The health data buffet runs counter to many people’s expectations about medical privacy. A number of Democratic senators, who tend to be more privacy friendly, supported a bill that would enshrine protections for health information last year, including senators Bernie Sanders, Elizabeth Warren, and Ron Wyden. The bill died after a lackluster response.
Even at the state level, privacy laws offer little if any protections. For example, California’s CCPA, updated this year with a new law called the CPRA, generally forces consumers to take proactive steps if they want to do anything to protect their privacy, and it does very little to stop bad data behavior that’s already happening.
California and Vermont both have laws that require data brokers to register with the state, but they don’t require any change in business practices. California’s list tops 400 different companies who probably have your data for sale.