There are mental health data brokers, this is the reality.
Your health data is out there. This isn’t a maybe. It’s been confirmed by researchers who have themselves dealt with data brokers. This has been known for awhile.
Data broker 4 advertised highly sensitive mental health data to the author, including names and postal addresses of individuals with depression, bipolar disorder, anxiety issues, panic disorder, cancer, PTSD, OCD, and personality disorder, as well as individuals who have had strokes and data on those people’s races and ethnicities. Two data brokers, data broker 6 and data broker 9, mentioned nondisclosure agreements (NDAs) in their communications, and data broker 9 indicated that signing an NDA was a prerequisite for obtaining access to information on the data it sells.
I’ve mentioned this before but I feel like this is worth highlighting specifically because I heard someone on a podcast recently pondering whether if even healthcare information is out there. And yes, it absolutely is out there — being bought and sold — it’s out there.
Strangely it’s illegal for healthcare companies to disclose healthcare data without permission, and it’s illegal for them to sell it, it’s illegal to steal healthcare data — but it’s apparently not illegal to buy and sell already stolen healthcare data.
While it seems that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should protect people against this type of invasion, it doesn’t. “Just because ‘privacy’ is in the name, it’s wrong to think of it as a law that keeps data private,” said Gilmore. “[Data] brokers are not regulated entities under HIPAA. There is not a law that regulates data brokers. If they collect and purchase health information about people, they can do with it what they want.” HIPAA has no impact on private use of information that is voluntarily handed over in commercial transactions or other sources, he added. The U.S. Department of Health and Human Services states that HIPAA applies to health plans, healthcare clearinghouses, and healthcare providers who conduct certain healthcare transactions electronically.
I’m not even clear on if there’s a law that stops the tech companies working for the healthcare companies, from selling the data. I don’t know if the HIPAA considers a tech company to be covered under this at all. One might assume the healthcare companies that employ tech companies would hold them to some kind of NDA (Non Disclosure Agreement), but I wouldn’t even count on that. It seems like companies are more likely to have NDAs to coverup lawbreaking, thwart whistleblowers, and hide gross sexual misconduct, and not so much to protect the interests of the people the business supposedly serves. For example, the data brokers selling the data require the data buyers to sign NDAs. It sure sounds like getting the data might reveal the means by which they came by the data and they are treating that knowledge as “proprietary” perhaps. It’s very obviously likely that much of this data has been retrieved via unlawful data breaches, so I imagine data brokers might want to guard against any evidence of crime in the chain of custody getting out. I’m not sure if selling stolen data would be covered by stolen property law, but at a minimum I imagine it would likely bring upon them unwanted scrutiny.
Even if the healthcare systems and tech companies that handle their computer systems aren’t selling the data, or voluntarily handing it over to anyone, they aren’t exactly very careful with the data when it comes to cybersecurity. I have had multiple notifications of my personal information being accessed in healthcare system cyber breaches across multiple healthcare systems in 2 different countries. A lot of people I know have said they’ve received these letters too, so it sure seems common.
So I assume all my healthcare data, including mental healthcare data, is available and may be used at any time for reasons ranging from target marketing to nefarious attacks.
The U.S. is actually pretty notorious in having little in the way of data privacy law. It’s apparently assumed that Americans culturally like our data being used against us for commercial purposes, and in fact that our culture is that Americans think commercial interests are of higher importance than any right to privacy.
In contrast, the US has traditionally taken a more hands-off approach that favors the companies that collect and use personal data. The use of personal data for commercial purposes exceeds the importance of data privacy. Recent years have seen the mindset somewhat shifting towards better protecting individuals as data breaches continue to cause havoc, but the underlying cultural differences will take more time to dissolve and bring the US in fuller alignment with the EU’s mindset and laws.
If you’re an American that doesn’t agree with that assessment, perhaps it’s time for you to speak up. Because it doesn’t have to be this way.
“In developing regulations the EPA was directed to weigh only one concern: public health. The costs to industry were explicitly deemed irrelevant.”
— Jane Mayer, Dark Money. January 2016