BlankNothing's safe any longer if its on-line!
Steve
Data brokers sell details about people's mental health status, study says .
Drew Harwell.
One company advertised the names and home addresses of people with depression,
anxiety,
post-traumatic stress or bipolar disorder. Another sold a database featuring
thousands of
aggregated mental health records, starting at $275 per 1,000 "ailment contacts.
For years,
data brokers have operated in a controversial corner of the internet economy,
collecting and
reselling Americans' personal information for government or commercial use,
such as targeted
ads. But the pandemic-era rise of telehealth and therapy apps has fueled an
even more
contentious product line: Americans' mental health data. And the sale of it is
perfectly
legal in the United States, even without the person's knowledge or consent. In
a study
published Monday, a research team at Duke University's Sanford School of Public
Policy
outlines how expansive the market for people's health data has become. After
contacting data
brokers to ask what kinds of mental health information she could buy,
researcher Joanne Kim
reported that she ultimately found 11 companies willing to sell bundles of data
that
included information on what antidepressants people were taking, whether they
struggled with
insomnia or attention issues, and details on other medical ailments, including
Alzheimer's
disease or bladder-control difficulties. Some of the data was offered in an
aggregate form
that would have allowed a buyer to know, for instance, a rough estimate of how
many people
in an individual Zip code might be depressed. But other brokers offered
personally
identifiable data featuring names, addresses and incomes, with one data-broker
sales
representative pointing to lists named "Anxiety Sufferers" and "Consumers With
Clinical
Depression in the United States. Some even offered a sample spreadsheet. It was
like "a
tasting menu for buying people's health data," said Justin Sherman, a senior
fellow at Duke
who ran the research team. "Health data is some of the most sensitive data out
there, and
most of us have no idea how much of it is out there for sale, often for just a
couple
hundred dollars. The Health Insurance Portability and Accountability Act, known
as HIPAA,
restricts how hospitals, doctors' offices and other "covered health entities"
share
Americans' health data. But the law doesn't protect the same information when
it's sent
anywhere else, allowing app makers and other companies to legally share or sell
the data
however they'd like. Some of the data brokers offered formal customer complaint
processes
and opt-out forms, Kim said. But because the companies often did not say where
their data
had come from, she wrote, many people probably didn't realize the brokers had
collected
their information in the first place. It was also unclear whether the apps or
websites had
allowed their users a way to not share the data to begin with; many companies
reserve the
right, in their privacy policy, to share data with advertisers or other
third-party
"partners. Privacy advocates have for years warned about the unregulated data
trade, saying
the information could be exploited by advertisers or misused for predatory
means. Health
insurance companies and federal law enforcement officers have used data brokers
to
scrutinize people's medical costs and pursue undocumented immigrants. Mental
health data,
Sherman said, should be treated especially carefully, given that it could
pertain to people
in vulnerable situations - and that, if shared publicly or rendered
inaccurately, could lead
to devastating results. In 2013, Pam Dixon, the founder and executive director
of the World
Privacy Forum, a research and advocacy group, testified at a Senate hearing
that an Illinois
pharmaceutical marketing company had advertised a list of purported "rape
sufferers," with
1,000 names starting at $79. The company removed the list shortly after her
testimony. Now,
a decade later, she worries the health-data issue has in some ways gotten
worse, in large
part because of the increasing sophistication with which companies can collect
and share
people's personal information - including not just in defined lists, but
through regularly
updated search tools and machinelearning analyses. "It's a hideous practice,
and they're
still doing it. Our health data is part of someone's business model," Dixon
said. "They're
building inferences and scores and categorizations from patterns in your life,
your actions,
where you go, what you eat - and what are we supposed to do, not live? The
number of places
people are sharing their data has boomed, thanks to a surge of online
pharmacies, therapy
apps and telehealth services that Americans use to seek out and obtain medical
help from
home. Many mental health apps have questionable privacy practices, according to
Jen
Caltrider, a researcher with the tech company Mozilla whose team analyzed more
than two
dozen last year and found that "the vast majority" were "exceptionally creepy.
Federal
regulators have shown a recent interest in more aggressively assessing how
companies treat
people's health details. The Federal Trade Commission said this month that it
had negotiated
a $1.5million civil penalty from the online prescription-drug service GoodRx
after the
company was charged with compiling lists of users who had bought certain
medications,
including for heart disease and blood pressure, and then using that information
to better
target its Facebook ads. An FTC representative said in a statement that
"digital health
companies and mobile apps should not cash in on consumers' extremely sensitive
and
personally identifiable health information. GoodRx said in a statement that it
was an "old
issue" related to a common software practice, known as tracking pixels, that
allowed the
company to "advertise in a way that we feel was compliant with regulations.
After the
Supreme Court overturned Roe v. Wade last summer and opened the door to more
state abortion
bans, some data brokers stopped selling location data that could be used to
track who
visited abortion clinics. Several senators, including Elizabeth Warren
(D-Mass.), Ron Wyden
(D-Ore.) and Bernie Sanders (I-Vt.), backed a bill that would strengthen state
and federal
authority against health data misuse and restrict how much reproductive-health
data tech
firms can collect and share. But the data-broker industry remains unregulated
at the federal
level, and the United States lacks a comprehensive federal privacy law that
would set rules
for how apps and websites treat people's information more broadly. Two states,
California
and Vermont, require the companies to register in a data-broker registry.
California's lists
more than 400 firms, some of which say they specialize in health or medical
data. Dixon, who
was not involved in the Duke research, said she hoped the findings and the
Supreme Court
ruling would serve as a wake-up call for how this data could lead to real-world
risks.
"There are literally millions of women for whom the consequences of information
bartered,
trade and sold about aspects of their health can have criminal consequences,"
she said. "It
is not theoretical. It is right here, right now.