Mental Health Data is For Sale
Privacy Plus+
Privacy, Technology and Perspective
Mental Health Data is For Sale. This week, let’s look at an alarming study published by the Duke University Sanford School of Public Policy’s Cyber Policy Program on data brokers’ sale of Americans’ mental health data. Here, we’ll also consider several recent and relevant actions by the Federal Trade Commission (FTC).
Perhaps you’re one of the 20% of Americans who report suffering from a mental illness every year? Or maybe you are one of the 42% of Americans who reported symptoms of depression and anxiety at the height of the pandemic? Maybe you’re one of the scores of millions of Americans who have taken Prozac? Certainly, you’ve seen the HIPAA notices in the doctors’ offices, filled out the lengthy forms and struggled through the procedures for medical privacy, and you’re fairly confident that at least that corner of your life is private. Right?
The Root of the Problem: Sadly, wrong – at least in an important part. True, under HIPAA, personal medical information is (or at least is required to be) private in the hands of HIPAA’s “covered entities” – hospitals, providers, health information exchanges, etc. But HIPAA does not apply to entities that do not take insurance, including the myriad of new actors and technologies that have sprung up in the generation since HIPAA was enacted, and particularly not to many of the “telehealth” apps, wearables, software application alternatives and other technologies that seem to have doubled just during the pandemic.
Sale of Mental Health Data by Data Brokers: A new study out of Duke shows that a huge amount of Americans’ most sensitive mental health data is regularly for sale, outside the scope of HIPAA or, it would seem, any other regulatory involvement. Instead, mental health data is for sale on the open market.
Who, What, and How? A Duke researcher reached out to 34 data brokers whose publicly available descriptions indicated they would sell mental health data. Of the 26 who responded, 11 were willing and able to sell it. The researcher focused her attention on the 10 brokers who most “actively engaged” with her. Prices for the data varied widely, from $275 for 5,000 aggregated record counts, to $75-100,000 for subscriptions to data including information on individuals’ mental health conditions. One even offered to sell data on depressed and anxious individuals “at the author’s budget price of $2,500” – including the names and addresses of people with depression, bipolar disorders, anxiety issues, panic disorders, PTSD, OCD, and much more – with no apparent restrictions on how the data could be used.
The brokers’ policies seem to have varied widely. Some conditioned the sales on various types and levels of use restrictions, while others seem to require none. Some brokers claimed that their data was aggregated and/or anonymized.* Yet, some of those same brokers were selling non-medical information about the same patients that was so detailed it would make re-identifying those same patients a breeze. (In fact, one broker boasted that its users could “source, de-identify, and link patient data in real-time with 10 times greater accuracy than competing platforms.”) There are more specifics to be had, but going into them here would make anyone depressed and anxious.
You may read the complete study published by Duke by clicking on the following link:
* For more on why “anonymization” isn’t what it seems to be, you can review our post, entitled “When Anonymous Isn’t” by clicking on the following link:
https://www.hoschmorris.com/privacy-plus-news/when-anonymous-isnt
Our Thoughts: Some personal data is more sensitive than others, and surely mental health data is among the most personal and sensitive of all. It cries out for protection. We suggest, first, an expansion of federal health laws to expressly address mental health data, regardless of who collects it. Here, we would like to see an outright prohibition on the sale of mental health data—no one should profit from the knowledge of others’ suffering.
But that is only one way. There is another: Under Section 5 of the FTC Act, the FTC is already mandated to protect the public from unfair and deceptive acts and practices. Its message to business already requires robust, accurate privacy notices and determined action to carry them out. We expect most Americans expect their most private, sensitive mental health data to be protected and not subject to this kind of sale and distribution; and so the failure of data brokers and their sources to protect such information, in our view, would violate Americans’ trust in just the kind of way the FTC should address.
The FTC already has the acknowledged its authority to take action to protect mental health data. We have previously written about the FTC’s case against GoodRx for sharing personal health information with third-party advertising companies, like Facebook. You can read more in our post “Bad Privacy Practices at GoodRx?”, available by clicking on the link that follows:
https://www.hoschmorris.com/privacy-plus-news/bad-privacy-practices-at-goodrx
Just this week, the FTC moved to similarly ban online counseling service BetterHelp from sharing such data with Facebook and others for target advertising purposes. Links to its complaint against BetterHelp and the proposed consent order follow:
Complaint:
https://www.ftc.gov/system/files/ftc_gov/pdf/2023169-betterhelp-complaint_.pdf
Proposed Consent Order:
https://www.ftc.gov/system/files/ftc_gov/pdf/202_3169-betterhelp-consent.pdf
Further, the FTC has already filed a lawsuit against a data broker, Kochava, seeking to enjoin its sale of precise geolocation data, which is similarly sensitive. If it manages to enjoin such sales by Kochava, other data brokers may be compelled to rethink their own practices about selling precise geolocation data and other sensitive data. A link to the FTC’s Complaint against Kochava follows:
https://www.ftc.gov/system/files/ftc_gov/pdf/1.%20Complaint.pdf
Regardless of how it happens, the sale of mental health data should stop now.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.