The Exchange of Our Most Sensitive Data and What It Means for Personal Privacy
This report includes findings from a two-month-long study of data brokers and data on U.S. individuals’ mental health conditions. The report aims to make more transparent the data broker industry and its processes for selling and exchanging mental health data about depressed and anxious individuals. The research is critical as more depressed and anxious individuals utilize personal devices and software-based health-tracking applications (many of which are not protected by the Health Insurance Portability and Accountability Act), often unknowingly putting their sensitive mental health data at risk. This report finds that the industry appears to lack a set of best practices for handling individuals’ mental health data, particularly in the areas of privacy and buyer vetting. It finds that there are data brokers which advertise and are willing and able to sell data concerning Americans’ highly sensitive mental health information. It concludes by arguing that the largely unregulated and black-box nature of the data broker industry, its buying and selling of sensitive mental health data, and the lack of clear consumer privacy protections in the U.S. necessitate a comprehensive federal privacy law or, at the very least, an expansion of HIPAA’s privacy protections alongside bans on the sale of mental health data on the open market.
Key Findings:
- Some data brokers are marketing highly sensitive data on individuals’ mental health conditions on the open market, with seemingly minimal vetting of customers and seemingly few controls on the use of purchased data.
- 26 of the 37 contacted data brokers responded to inquiries about mental health data, and 11 firms were ultimately willing and able to sell the requested mental health data.
- Whether this data will be deidentified or aggregated is also often unclear, and many of the studied data brokers at least seem to imply that they have the capabilities to provide identifiable data.
- The 10 most engaged data brokers asked about the purpose of the purchase and the intended use cases for the data; however, after receiving that information (verbally or in writing) from the author, those companies did not appear to have additional controls for client management, and there was no indication in emails and phone calls that they had conducted separate background checks to corroborate the author’s (non-deceptive) statements.
- The 10 most engaged brokers advertised highly sensitive mental health data on Americans including data on those with depression, attention disorder, insomnia, anxiety, ADHD, and bipolar disorder as well as data on ethnicity, age, gender, zip code, religion, children in the home, marital status, net worth, credit score, date of birth, and single parent status.
- Pricing for mental health information varied: one data broker charged $275 for 5,000 aggregated counts of Americans’ mental health records, while other firms charged upwards of $75,000 or $100,000 a year for subscription/licensing access to data that included information on individuals’ mental health conditions.
- One company that the author was in contact with depicted their firm as an advertising tech firm. The sales representative offered to ask their manager about coordinating a data deal on information from organizations they advertise for on behalf of the author.
- Data broker 1 emphasized that the requested data on individuals’ mental health conditions was “extremely restricted” and that their team would need more information on intended use cases—yet continued to send a sample of aggregated, deidentified data counts.
- After data broker 1 confirmed that the author was not part of a marketing entity, the sales representative said that as long as the author did not contact the individuals in the dataset, the author could use the data freely.
- Data broker 2 implied they may have fully identified patient data, but said they were unable to share this individual-level data due to HIPAA compliance concerns. Instead, the sales representative offered to aggregate the data of interest in a deidentified form.
- Data broker 4 was the most willing to sell data on depressed and anxious individuals at the author’s budget price of $2,500 and stated no apparent, restrictive data-use limitations post-purchase.
- Data broker 4 advertised highly sensitive mental health data to the author, including names and postal addresses of individuals with depression, bipolar disorder, anxiety issues, panic disorder, cancer, PTSD, OCD, and personality disorder, as well as individuals who have had strokes and data on those people’s races and ethnicities.
- Two data brokers, data broker 6 and data broker 9, mentioned nondisclosure agreements (NDAs) in their communications, and data broker 9 indicated that signing an NDA was a prerequisite for obtaining access to information on the data it sells.
- Data broker 8 often made unsolicited calls to the author’s personal cell. If the author was delayed in responding to an email from data broker 8, the frequency of calls seemed to increase.
- Some brokers imposed data use limitations on the possible sale of people’s mental health information, ranging from “single-use” (which usually pertains to mailing purposes) to “multi-use” (which means the dataset is available for one year after purchase) based on the firm and the product purchased.
- Based on an evaluation of privacy policies, data brokers seem collectively less willing to provide access and disclosure to their customers and users about the collection or correction of personal data.
By: Joanne Kim