I started this thread after reading about a study released Monday showing that companies are now selling people's health and mental data to anyone will to pay.
People think they are protected with HIPPA? But HIPPA only applies to doctors offices, hospitals and "other covered entites." It doesn't apply to apps you might use, and, says the study, to telehealth visits.
I had many unanswered questions about this issue, and thought that this thread might help anyone concerned about this to share what they know.
According to WAPO, "In a study published Monday, a research team at Duke University’s Sanford School of Public Policy outlines how expansive the market for people’s health data has become...
"After contacting data brokers to ask what kinds of mental health information she could buy, researcher Joanne Kim reported that she ultimately found 11 companies willing to sell bundles of data that included information on what antidepressants people were taking, whether they struggled with insomnia or attention issues, and details on other medical ailments, including Alzheimer’s disease or bladder-control difficulties.
...brokers offered personally identifiable data featuring names, addresses and incomes, with one data-broker sales representative pointing to lists named “Anxiety Sufferers” and “Consumers With Clinical Depression in the United States.” Some even offered a sample spreadsheet."
Now for Sale: Data on your mental health
Clearly we need more information to know how to keep our health data private. For example, are pharmacies covered by HIPPA? What about telehealth services? Telehealth may not be covered, according to the article. While googling around, I noticed you can get an app for your phone to remind you to take your meds. That service is definitely not covered by HIPPA and can be sold to people with your name on it. Any surveys you fill out are not private.
I'd like to understand this better so I can warn people.
This data could be used against people involved in custody suits, conflicts with employers or even employer screenings, or just someone who is curious about someone.
Anyone know more about this?
Well, some of this doesn't surprise me but other parts are actually rather shocking. I can't believe pharmacies can sell your info nor can I believe telemedicine as well. And with your name and contact information. Disgusting.
@lovendures It appears, after research, that pharmacies are covered by HIPPA. There are nevertheless many entities, according to the article I linked above, that are not covered and therefore will sell your information. I'd like a list of those.
https://www.hipaajournal.com/hipaa-compliance-for-pharmacies/
@lovendures @jeannemayell
A cursory look via Google produced the same information and the issue seems complex and massive and only now beginning to be addressed. Here's again the Kim study that came out this month on mental health data.
Sources of the data include apps that people use to track their health/mental health as well as apps for purchasing meds, and most or all of these things are not protected by HIPAA. The health app that came with my phone suggests that I enter all kinds of medical information in it and I can't imagine that HIPAA applies to Apple.
Then there is the business of health care organizations including hospitals de-identifying HIPAA protected patient data, aggregating it, and selling it to people/organizations doing medical research. An article from 2021 goes into it here in The Verge. No need for patients to give permission for their data to be included. Of note: this data can apparently be re-identified and re-used in different and sometimes nefarious ways.
Bottom line I guess we might should assume probably nothing is truly private. Before computers, I once worked with someone whose relative got a job in medical records with the main health care provider in a small town. The first thing she did on the job was to look up and read the paper records of everyone she knew.
@marigold I went to my fitbit app that tracks a ton of health data. Even if you don't fill out their health questionnaire when you set up the app, fitbit still tracks your sleep, pulse, daily exercise and anything you have asked it to track for you. Upon inquiry, I discovered that you can tell the app to keep your information private.
What irks me is that Fitbit never once tells you that your information is not at all private unless you figure out that you might need to do so.
Apple, on the other hand, claims to be HIPPA compliant. But it's unclear to me what part of the health data is protected and whether there are parts that are not protected.
The relationship between HIPPA and health apps is a changing landscape. I spent some time reviewing articles I found about it, but it was too complex and in flux for me to understand it yet. IN 2021, the New York Times reported on the problem., saying there were no safeguards. The feds were at the time trying to rewrite the rules.
This NY times story in April 2022, has advice for the layperson for securing your online data, both health and financial. They say to go to privacy settings and make your data private, and set up two-factor authorization. The article is part of a series devoted to helping laypeople keep their data secure.
I broadened this whole thread to include financial data security when I read their article about issues with securing financial data. They recommend:
- Add two-factor authentication to all financial accounts
- Freeze your credit to prevent thieves from opening accounts with your information; or enable fraud alerts.
- Use virtual credit cards when possible to prevent skimming and other physical means of scanning your cards in public places.
To secure health data:
- Enable two-factor authentication for any service that supports it:
- Tweak privacy and sharing settings in Apple health, Fitbit, Google Fit, Garmin Connect, Peloton, Runnkeeper, and Strava.
https://www.nytimes.com/wirecutter/guides/simple-online-security-secure-your-sensitive-data/
I know there is sometimes a paywal, so perhaps someone here has a free article somewhere.
This is a lot of research thank you for sharing and helping raise the issue. I’d really like government to take this off our hands because I know so many people who managing any type of online data is above their skill set. We need to protect all citizens not just those who are internet savvy.
Thank you for this thread. The college I went to was hacked into and everyones credit card data was sold on the dark web. My life was really affected by cyber hacking in the past two years. I have learned a lot from this process. Many places do not have the proper security in place and do not know what to do when information is breached and sold.
Most institutions and governments do not have adequate understanding of technology, nor do individuals have the ability to give informed consent for what is occurring on most levels of data collection. A lot of companies that have true understanding of what is going on are making billions off of our personal lives because laws have not kept up.
This is an article on ways that people can push the Government to regulate data. "The EFF is currently pushing the My Body, My Data Act, which would protect personal health care data related to reproductive rights. You can https://act.eff.org/action/pass-the-my-body-my-data-act" }" data-uri="3d6b4a20c1b23c5190e93fdc61b0c0d7">learn how to take action to support this act on the EFF’s website."
https://www.wired.com/story/how-to-advocate-your-tech-privacy/
It is very important that these regulations go through the United States soon as some of the biggest collectors and sellers of data are through American companies (Google (Alphabet), Facebook (Meta), and Amazon. Europe has passed some laws surrounding AI and Data collection recently that could be a benchmark for other countries.
I've tried to speak to Canadian Government to protect children rights surrounding dat collection through technology but I found that so far it has fallen on deaf ears. I have noticed some admirable laws protecting kids coming through at a State level in the US:
https://www.bbc.com/news/world-us-canada-65060733
and evidence that the European Commission is taking it seriously:
I feel pretty passionately about this topic and appreciate the resources you have posted!
Hi everyone - My spouse works in cyber crime, and I can assure you that nothing is private anymore. EFF is a nice organization, but very naive. We know some of the folks who work there. Very academic think-tank, not very real world. But it's probably a good thing we have smart, idealists working on high-minded solutions. In my own experience, I was told by health care team members to connect a device to my smart phone so I could easily upload and share data with the health care team in the cloud. You wouldn't believe the amount of eye rolling I got when I told them my spouse works in cyberlaw, and how I wouldn't be doing that. Jeanne is correct that no one is thinking about this issue, and we may have already lost the window of opportunity. However, my neighbor used to work for a data mining company. A couple of years ago, she told me the data is there, but no one knows how to use it yet/monetize it yet. The "Gattica" plot line is developing in our lifetime!
@westie I have followed cybersecurity since its infancy, and from all I've learned, I can confidently state that there has been no such thing as online privacy since Windows 98.
It's all there ... and most times? The info found when you research your own self? For example? You'll find many sites with your name, addresses ,current and previous, relatives with identifying faces, names, connections and more. Nothing and I do mean nothing ... is not out there to find at the touch of our fingers on the keyboard. There are people whose livelihood it is to track all this " online chatter" and governmental agencies that have reams of info about every day citizens ... of many countries. AI, Facial recognition, Big Brother government? Is already here and in use. Brave new world indeed. One of the top 100 of the most banned books ever.
One of the most important reasons to save our Democracies... and ... to foster teaching to think in education once more. Truly... a lot sways in the balance. Everything ... has the power to be to the greater good... or used by the few for the worst imaginable reasons.