Incognito — August 2022: Your Health Data is for Sale

Welcome to the August 2022 issue of Incognito, a monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month:

• Your health data. How is it being used, and who profits from it? 
• Recommended reads including “Contact Details of 5.4M Twitter Users for Sale.”
• Q&A: Is there a way to determine how “dodgy” a product/service is in terms of privacy?

Know someone who could benefit from proactive privacy protection? Refer them to DeleteMe—they get a 20% discount and you get a $50 Amazon gift card if they sign up. 

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter or refer a friend to DeleteMe to earn a $50 Amazon Gift Card.

The end of Roe vs. Wade might have heightened health data privacy concerns, but the truth is that your health data has always been abused. 

How Roe vs. Wade Put a Spotlight on Health Data Privacy

On June 24th, 2022, the Supreme Court overruled Roe vs. Wade, a landmark 1973 decision that affirmed a federal right to abortion in the US. As some states moved to ban abortion, healthcare data privacy was all anyone could talk about. 

Whether through subpoenaing period tracker app data or buying location information via data brokers, the fear emerged that sensitive medical data could be used to identify pregnant people seeking termination. 

• As a result, many people deleted their period tracking apps or switched to more private alternatives. 
• Tech companies rushed to adjust their data privacy practices. Google, for example, announced it would delete records of users visiting sensitive locations like abortion clinics. 
• Congress launched an investigation into data brokers and apps and whether the information they collect and sell could be used against abortion seekers and providers. 

For obvious reasons, most conversations right now regarding health data privacy tend to focus on reproductive health. However, it’s important to remember that the (relatively) easy availability of other types of health-related data can expose us to increased risk, as well. 

Your Health Data Has Never Been Private

“Guess What? HIPAA Isn’t a Medical Privacy Law,” writes Consumer Reports, dispelling the idea that the Health Insurance Portability and Accountability Act protects our sensitive health data. In reality, what it does is give us a false sense of security. 

HIPAA and other privacy laws restrict entities like healthcare providers and hospitals from sharing sensitive medical data with third parties. That is, unless they are served with a warrant or subpoena OR remove all identifying information from datasets before selling them. But even de-identified data can be re-identified. 

HIPAA also does not extend to data brokers, digital health platforms, apps, search engines, ISPs, etc. This means there is a swathe of companies legally collecting and selling your health information. 

For example, mental health apps, health websites, and pharmacy coupon and deal finder apps have been found to share sensitive user data with advertisers and data analytics companies. This data can include usernames, health diary entries, self-reports about substance abuse, symptoms, medical diagnoses, and the names of medications people are looking to buy.  

Similarly, data brokers sell lists of people with HIV/AIDS, cancer, “and hundreds of other illnesses,” according to the World Privacy Forum, placing individuals in categories like “Diabetes Interest” and “Cholesterol Focus.” 

What Does Your Commute Time Have to Do With Your Health?

Even apps and products that appear to have nothing to do with health can give third parties insight into your wellbeing. 

Things like how long your commute takes or what your diet looks like could reveal more about your health than your genetic makeup or blood work, says Eric Perakslis, Chief Science and Digital Officer at the Duke Clinical Research Institute. 

For instance, setting your thermostat to very low could let a third party figure out that you’re menopausal. On the other hand, your clothing size coupled with the food you buy and the TV channels you watch could indicate to someone that you’re overweight. 

Your Health Data Is Valuable 

“There’s money that’s on the table, hundreds of millions, billions of dollars a year in aggregate, in potential advertising dollars,” said Jeff Greenfield, co-founder of the advertising attribution firm C3 Metrics about data on people with health conditions like high cholesterol or diabetes. 

However, it’s not just targeted health-related ads you need to worry about. The easy accessibility of your health data has also meant that some companies are now selling “risk scores” to doctors and insurers.

• Meant to make it easier for doctors to make decisions regarding your risk of opioid addiction or overdose, risk scores can also lead to some patients getting blacklisted and others getting too much or not enough medical attention. 
• In some cases, risk scores may not be accurate. 

Insurers can also use risk scores and other health-related data to guess the likelihood that you’ll develop a specific illness and raise your insurance rate or refuse to cover you at all. 

Scammers are another problem. Data brokers have already been caught selling data on elderly Americans to criminals who want to carry out elder fraud. There’s nothing stopping malicious individuals from buying lists of people with Alzheimer’s or dementia to con them out of their life savings. 

How to Protect Your Health Data

Here are some things you can do to safeguard your medical data: 

1. Use a VPN or TOR browser for sensitive health-related searches. Remember: Incognito mode is not actually private. 
2. Don’t use public WiFi to access personal data.
3. Avoid sharing medical information online or with apps. If you do, always research a company’s privacy policies and enable as many privacy settings as possible. 
4. Disable cross-app tracking and personalized ads. This can help stop information you share with one app from being correlated with data from another app.
5. Turn off your mobile advertising ID. This will make it harder for data brokers and advertisers to profile you. 
6. Opt out of data brokers and people search databases. 

Unfortunately, cutting off third-party access to your health data completely isn’t realistic. Although you can potentially minimize the amount of health data exposed, the rules need to change on a national level. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape.  

Contact Details of 5.4M Twitter Users for Sale

Twitter suffered a data breach that exposed the contact information (phone numbers, emails) of 5.4 million users. The hacker, who used a vulnerability that has since been fixed, listed an ad for stolen information on a hacker forum for $30,000. According to the hacker, the exposed users include celebrities, companies, and random members.

Amazon Shared Ring Videos with Law Enforcement

Amazon gave law enforcement bodies access to Ring doorbell video footage 11 times so far in 2022. Crucially, this was done without the owners’ knowledge or consent. Ring has previously said it doesn’t share data with law enforcement without a warrant, user permission, or “exigent or emergency.” The 11 videos shared apparently fell under the emergency provision.

T-Mobile Agrees to Pay Customers $350M After a Cyberattack

T-Mobile has settled to pay $350 million to US customers impacted by a class action lawsuit over a 2021 cyber attack. The attack, which affected close to 80 million individuals, resulted in customer data being stolen, including their names, Social Security numbers, and Driver’s Licence information. The settlement is preliminary and still needs the judge’s approval.

Federal Privacy Legislation Passes the Committee Stage 

The American Data Privacy and Protection Act (ADPPA) was advanced by the House Energy and Commerce in a 53-2 bipartisan vote. The bill is now eligible for full House consideration. The provisions in the recently amended bill include data minimization, anti-discrimination rules, transparency standards, better data broker oversight, and new cybersecurity requirements. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: A few years ago, I deleted some of my social media accounts, i.e., Facebook, Twitter, etc. But now I’m paranoid that it’s still possible for someone to find my old posts. 

A: Your paranoia is totally justifiable. Even if you deleted your social media accounts, the information you shared could still be out there. 

To start with, your social media profiles were more than likely scraped by data brokers before you closed your accounts. That means that whatever was on your profiles—i.e., your full name, links to personal/professional websites, photos and videos, and posts with your thoughts/feelings—now probably live on multiple data broker databases, waiting to be purchased by advertising agencies, insurance companies, etc. Opting out of data brokers solves this problem. 

However, some of your posts or comments may have been screenshotted by other people. If these screenshots exist, you, unfortunately, don’t have any control over them. Anyone could make them public at any time. 

There are also websites that automatically save and archive content on the web, including public social media posts. So even if you deleted your accounts, all or some of your posts might still be findable—especially if someone has a link to them. 

Lastly, if any of the social media platforms you were on were breached, some of your information could have ended up with cybercriminals or on the dark web. 

In its Privacy Policy, Twitter warns users: “Remember public content can exist elsewhere even after you remove it from Twitter. For example, search engines and other third parties may retain copies of your Tweets longer, based upon their own privacy policies, even after they are deleted or expire on Twitter.”

Q: Is there a way to determine how “dodgy” a product/service is in terms of privacy?

A: The best way to find out how private a product/service is is to read its Privacy Policy and Terms of Conditions. 

But considering that these are almost always really, really long (and often very complicated), resources like Terms of Service; Didn’t Read, and Mozilla Foundation’s *privacy not included can be an enormous help. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Share Incognito with friends. If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are you worried about the privacy of your health data? Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito! Stay safe and we’ll see you in your inbox next month.