American’s mental health data is on the market
Digital tools like virtual therapy and meditation apps have made mental health care more accessible. But they’ve made data about the people using them more accessible too.
That’s what Joanne Kim found while conducting research as an undergraduate student at Duke University. The final report was published in February.
During her study, Kim identified 11 data broker firms willing and able to sell highly sensitive mental health data to her. Marketplace’s Meghan McCarty Carino spoke with Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy who helped oversee the study, about how this data ends up on the market.
The following is an edited transcript of their conversation.
Justin Sherman: Most of us might use a website or an app to make an appointment with a therapist or to go to an urgent clinic if we have a sore throat, for example. The reality, unfortunately, is that a lot of that health data is not protected. The Health Insurance Portability and Accountability Act, which people refer to as the U.S. health privacy law, is almost 30 years old, and lot of these technologies that are around today were not in existence back then or were not as prevalent back then. So, there are some entities covered by HIPAA like a hospital’s emergency department. If you go in with something, they can’t tweet it out and they can’t sell that information on the street corner. But there are plenty of apps, data brokers, social media companies and ad tech firms who are not covered by HIPAA. So you might use an app or a company thinking that your health data is safe, when in reality, they can turn around and completely legally sell that data on the open market.
Meghan McCarty Carino: Tell me about the types of data that were available through these data brokers.
Sherman: There is a huge amount of health-related information available for sale. Some companies were offering what we call aggregated data, so there wouldn’t be names or emails or anything in the data set. Instead, it might be a series of ZIP codes and numbers of people with certain mental health conditions. Other companies offered data that was linked to individual people sometimes by name. That data spanned everything from people with depression, anxiety, obsessive-compulsive disorder and bipolar disorder to even people who had suffered strokes along with other information like race and ethnicity and whether there are children in the home. That is really disturbing, and it also builds out a surveillance profile on that particular person.
McCarty Carino: What do we know about who is buying this data and how they’re using it?
Sherman: Data brokers broadly form a multibillion-dollar market in the U.S., and there’s a huge appetite across all kinds of companies for buying this kind of data. Sometimes that’s doing market research or sometimes that’s to run ads or to profile consumers. In the health data space, there has been some reporting about health insurance companies buying this information. There was a great ProPublica story a few years ago about companies buying up Americans’ health conditions, including data on race and education level. This raises all kinds of questions about what these companies are doing with that data. Most of us have no reasonable expectation that when we use a health app or website, that they’re going to sell the data. You just assume that they’re protected under health privacy law. Again, there’s that gap and that misconception. Companies exploit that in order to sell data to insurance firms and others who want this information.
McCarty Carino: What shocked you the most about what you all found in this research?
Sherman: Two things. One is the cost of the data. The reality is, it’s not that expensive. You can spend a few hundred dollars to get lists of names with thousands of people in it. The other thing that I found interesting and disturbing is the lack of vetting from many of these brokers. Some brokers would ask [Kim, the buyer] a couple of initial questions but wouldn’t do a background check. They wouldn’t necessarily make you hop on the phone to explain what was happening. There was even one broker who said this is really sensitive information and mental health data is really sensitive, we need to take a pause and we need to look into you further. But then they continued to send data samples anyway.
McCarty Carino: There has been all of this talk recently within the U.S. government about concerns over TikTok and data privacy, while something like this is completely legal and potentially very disturbing to a lot of users. What do you make of that disconnect?
Sherman: It’s a huge disconnect. A lot of policymakers will say things like, “If we ban TikTok, then we’ve protected our data from the Chinese government.” The reality is that that is a laughably false statement. There is so much information available for acquisition and for scraping and for purchase via data brokers out there. There’s Americans’ GPS data, political data, health data, data on veterans, data on children and students and government employees. When we talk about how we can better protect Americans’ data, we can’t overlook these companies who make millions and billions of dollars off of selling people’s data on the open market.
McCarty Carino: What can be done about this?
Sherman: This is the hard question. If you are a consumer who’s concerned about this, there are some little steps you could potentially take. For example, in California, under the state privacy laws, you can contact some data brokers to tell them to stop selling your data. The unfortunate part is that those laws are narrow, and for a consumer, that’s a huge burden. Not only would you have to sit there and fill out all these forms, you also have to know who these companies are in the first place. If you don’t know your data is being sold by somebody, how would you even know to contact them? The reality is that we really need more regulatory action here. Part of it can be driven by the Federal Trade Commission. They sued a data broker called Kochava last August for selling people’s identifiable location data on the open market. They also just went after GoodRx, the prescription services company with millions of American users, for sharing people’s health conditions with Facebook and Google and other companies. So, there is space for an agency like the FTC to step in, but at the end of the day, if you want to make these underlying practices illegal, there needs to be new legislation. Democrats and Republicans agreed almost 30 years ago that Americans need their health data privacy protected, and so the real long-term answer is to pass new legislation that updates those protections for the digital age.
Related links: More insight from Meghan McCarty Carino
Last fall, Marketplace looked into the issue of what HIPAA does and does not protect when it comes to health apps, and — spoiler — it’s not much.
Sherman mentioned a ProPublica investigation about health insurance companies using personal data on buyers to adjust their rates. That report found that it’s actually not just health data being bought and sold. Characteristics like race, marital status, what you order online, and even how much time you spend watching TV could potentially inform insurers’ decisions.
Finally, there was an action from the Federal Trade Commission on a related matter. In early March, the FTC reached a proposed settlement with the online therapy service BetterHelp over its alleged practice of sharing user data with third parties.
The FTC proposed that BetterHelp pay $7.8 million to users for what it deems misleading assurances that their data would remain private and that it be barred from sharing consumer data for advertising.
BetterHelp has not admitted wrongdoing and says its practices are standard in its industry.
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.
Support “Marketplace Tech” in any amount today and become a partner in our mission.