Hot Topics
Analytics & Intelligence Cloud Security Cyberlaw Cybersecurity Data Privacy Data Security Featured Governance, Risk & Compliance Humor Identity & Access Incident Response Industry Spotlight Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence 

Your Mental Health Data for Sale or Rent — 20¢

by Richi Jennings on February 14, 2023
U.S. data brokers are selling PII about mental health conditions—such as depression, anxiety, bipolar disorder, PTSD and OCD.

Roses are red; violets are blue. We need new laws: HIPAA failed you.

TIL Saint Valentine is also the patron saint of epilepsy. In today’s SB Blogwatch, we love privacy.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Doctor Who “sings.”

US GDPR ASAP

What’s the craic? Drew Harwell reports—“Now for sale: Data on your mental health”:

Questionable privacy practices
One company advertised the names and home addresses of people with depression, anxiety, post-traumatic stress or bipolar disorder. Another sold a database [for] $275 per 1,000.

And the sale of it is perfectly legal in the United States, even without the person’s knowledge or consent. … Duke University’s Sanford School of Public Policy outlines how expansive the market for people’s health data has become. … After contacting data brokers to ask what kinds of mental health information she could buy [some] brokers offered personally identifiable data featuring names, addresses and incomes.

The number of places people are sharing their data has boomed, thanks to a surge of online pharmacies, therapy apps and telehealth services [with] questionable privacy practices. … The Health Insurance Portability and Accountability Act, known as HIPAA [allows] app makers and other companies to legally share or sell the data however they’d like. … The data-broker industry remains unregulated at the federal level, and the United States lacks a comprehensive federal privacy law.

You can say that again. Thomas Germain says that again—“Data Brokers Are Selling Long Lists of People With Depression and Anxiety … PTSD, and more”:

Data on abortion clinics
Looking for lists of people with depression, anxiety, bipolar disorder, PTSD, or OCD? No problem. There are lots of companies who would love to sell it to you. They can even include names, emails, home addresses, income, ethnicity, and details about people’s children. It’s cheap too: … starting at $0.20 [per person], with a discount if you buy in bulk.

The health data buffet runs counter to many people’s expectations about medical privacy, [but] health data rules only apply to “covered entities,” which generally means doctors and health care providers, insurance companies, and businesses who work with them directly. … Apps, visits to sites like WebMD, and even prescription discount services like GoodRx harvest information about your medical ailments, with zero protections from HIPAA.

In the shadows of the internet, an ocean of data brokers scrape up the information that many of us don’t even realize we’re leaving behind and repackage it. … The data brokers offered a wide variety of [other] information … including data on DNA tests … data on abortion clinics, details about people’s ability to pay for care, and a long list of other information … (including data sets with names like “active living Jews”).

Horse’s mouth? Duke’s Joanne Kim—“The Exchange of Our Most Sensitive Data and What It Means for Personal Privacy”:

Lack of clear consumer privacy protections
This report includes findings from a two-month-long study of data brokers and data on U.S. individuals’ mental health conditions. The report aims to make more transparent the data broker industry and its processes for selling and exchanging … data about depressed and anxious individuals.

The research is critical as more depressed and anxious individuals utilize personal devices and software-based health-tracking applications … often unknowingly putting their sensitive mental health data at risk. This report finds that the industry appears to lack a set of best practices for handling individuals’ mental health data, particularly in the areas of privacy and buyer vetting.

It finds that there are data brokers which advertise and are willing and able to sell data concerning Americans’ highly sensitive … information. It concludes by arguing that the largely unregulated and black-box nature of the data broker industry, its buying and selling of sensitive … data, and the lack of clear consumer privacy protections in the U.S. necessitate a comprehensive federal privacy law or, at the very least, an expansion of HIPAA’s privacy protections alongside bans on the sale of mental health data on the open market.

Where to start? autoexec, obvs:

Life long consequences
Industry will not do the right thing, and the market has failed to provide a solution to this problem, so it looks like we need laws with real teeth and sustained oversight to enforce those laws. … People are being forced to decide if they should seek out healthcare or support for their conditions and accept that they’ll be branded with that for the rest of their lives in countless databases sold to anyone willing to pay or if they should just suffer in silence and avoid the doctors, medications, and online communities that might help them.

Right now, expect that your health conditions are up for sale and being passed around like candy to anyone willing to pay for it. It’s bad enough that lists of people who are addicts, prone to impulsive purchases, or easily confused/tricked are extremely valuable to scammers and advertisers, but that same data can cost you a job or housing and open you up to harassment.

The same is true for anyone calling a crisis service, such as a suicide hotline or a rape crisis center or those visiting shelters and mental health clinics. People’s phone records and GPS logs have been available for sale for a very long time. The last thing someone in crisis should need to worry about are the life long consequences of dialing one of these phone numbers or walking into a clinic.

What can we learn? javaman235 sums it up:

The moral of that story is: If you are having symptoms, do not seek help, it will be used against you. This is why HIPAA exists.

Would people get transmissible diseases treated if they knew the diagnosis of them could make lose their jobs? Medical privacy is a part of effective medicine.

Oh, and DarkestArkansas offers this reminder, too:

Oh, and don’t forget that your pharmacy records are part of this game, too. You have no control over anything, yet mysteriously all your data gets parted, parceled and sold to everybody.

We Americans have the ****tiest for-profit healthcare system that just screws and exploits everybody in its pathway. Yet we love it and squeal like pigs if anybody ever says “single-payer system.” But if you add up Medicare, Medicaid, VA Healthcare and TriCare, you already have 51 percent government healthcare. Let’s stop the insanity and have Medicaid for all. We pay twice as much as the rest of the world for the poorest outcomes. This is ridiculous.

How do you feel about that? See how it makes aNukedHamster feel:

Cool cool cool. I’ll add it to my growing list of things that keep me generally anxious most of the time.

I will sit right down. Waiting for the gift of sound+vision [You’re fired—Ed.]:

Strong data privacy laws are the only way to fix this. HIPAA isn’t it.

Them You-row-pee-uns is laughing at us. Here’s LemmyInThePub:

Need I ask why the USA hasn’t adopted a data protection law to prevent such shenanigans? The only people objecting to the GDPR are scummy businesses who haven’t yet understood that harvesting and/or selling personal data without consent is both not ethical and no longer a legal business model.

Meanwhile, get off intheweb3’s lawn:

I was stunned when a pharmacy offered a special “discount” and asked me to enter both my name and birthdate on a touch screen while the cashier waited. … When I refused and decided I didn’t want the discount anyway because they were asking for my birthdate, the teenaged cashier looked at me as if I was hopelessly out of touch.

And Finally:

Too much time on your hands? Make a YouTube video.

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Matthew Ball (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi

Secure Guardrails