Sensitive mental health data is for sale by little-known data brokers, at times for a few hundred dollars and with little effort to hide personal information such as names and addresses, according to research released Monday.
The research, conducted over two months at Duke University’s Sanford School of Public Policy, which studies the ecosystem of companies buying and selling personal data, consisted of asking 37 data brokers for bulk data on people’s mental health. Eleven of them agreed to sell information that identified people by issues, including depression, anxiety and bipolar disorder, and often sorted them by demographic information such as age, race, credit score and location.
The researchers did not buy the data, but in many cases received free samples to prove that the broker was legitimate, a common industry practice. The study doesn’t name the data brokers.
Some of the brokers were particularly cavalier with sensitive data. One made no demands on how information it sold was used and advertised that it could offer names and addresses of people with “depression, bipolar disorder, anxiety issues, panic disorder, cancer, post-traumatic stress disorder, obsessive-compulsive disorder and personality disorder, as well as individuals who have had strokes and data on theirs races and ethnicities,” the report found.
“[T]he industry appears to lack a set of best practices for handling individuals’ mental health data, particularly in the areas of privacy and buyer vetting,” the report found.
While prices for rented and sold mental health records varied widely, some firms offered them for cheap, as low as $275 for information on 5,000 people.
Use of apps that offer counseling and other mental health services was already on the rise before the Covid pandemic broke out. In April 2020, the Food and Drug Administration eased its recommendations against unvetted mental health apps, given the combination of people’s stress from the pandemic and a push for remote health care.
Data brokers, which deal in the buying, repackaging and selling of people’s identifying information and details about them, has grown into a thriving but shadowy industry. Companies in the industry are rarely household names and often say little publicly about their business practices.
Congress has failed so far to pass significant legislation on the industry, which spends millions on lobbying.
Unlike some countries, the U.S. has no overarching privacy law that protects most people’s private and personal information from being bought and sold. Some medical information can be protected with laws like the Health Insurance Portability and Accountability Act, commonly known as HIPAA. But HIPAA applies only when that information is held by a specific “covered entity,” such as a hospital or certain kind of health care organization.
Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy who runs its data brokerage project and oversaw the report, said other entities that store health data, including most phone apps, aren’t regulated through HIPAA, leaving data brokers with a number of options to legally purchase such data.
“People assume HIPAA covers all kinds of health data everywhere. And that is not true,” he said.
“There are many, many places where this data could have come from, because so many entities are not covered by HIPAA’s health data sharing constraints,” Sherman said.
While the report doesn’t delve into how the brokers acquired that mental health information in the first place, a Consumer Reports investigation in 2021 found that some popular mental health apps were sharing users’ data with advertising companies, including Facebook.
A spokesperson for Meta, Facebook’s parent company, said in an email: "Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect."
Pam Dixon, the executive director of World Privacy Forum, a nonprofit group that works to improve privacy protections nationally and globally, said that confusing laws around health care privacy make it practically impossible for a person to navigate the health information that can be expected to remain private.
“There is mass consumer confusion about when our health records are protected by health privacy law or not,” she said. “It’d be almost impossible for the average person who’s not a privacy attorney to know if a website’s protected by HIPAA or not.”
Dixon cautioned against concluding that information about mental health was more widely traded than other personal information and said the data brokerage industry is out of control.
“There’s no possible way at this point in time that a human being, if they wanted to, could opt out of all the data broker activity in the world,” she said.
“Remember, someone is buying this data, or there would not be a business model for it,” she said.