Business of Well-being

Mental Health Data Theft: What Employers Must Do to Protect Employees

Data Protection

A few weeks ago, reports hit the workplace about how a team of researchers uncovered a large-scale underground market, mining and selling employee mental health data for as low as six cents. What was most shocking was that these data had clear identifiers and the buyers could tell which persons had a certain mental health problem, what treatments they were taking, and how many relapses they had.  

The news has clearly unsettled most employees, who are frantically beginning to sign out of mental health apps and withdraw some of their data that had been stored in digital platforms.  

In today’s workplace, mental health and well-being programs thrive on tech solutions, including mental wellness apps, tele-mental health services, and virtual counselling. Each of these initiatives involves employees volunteering sensitive information about themselves, including their age, home address, mental health conditions, current and past treatments, as well as any comorbidities.  

But with recent revelations, employers are finding out that these platforms may be unsafe to hold these sensitive data.  

As a sensitive issue, employers and HR managers need to make drastic moves to help rebuild trust among the workforce and retain their best hands. Therefore, what must employers do to protect these sensitive data and prevent breaches?  

Data Policy

Sequel to the recent monumental breaches in employee mental health data, it is important for organizations and managers to rethink their data policies and ensure they are in line with current standards and best practices.  

Reviewing these policies starts with integrating the elements of Health Insurance Portability and Accountability Act of 1966 (HIPAA), also known as the HIPAA Privacy Rule, into organization’s data regulatory frameworks. The goal of the rule is to ensure individual’s personal health information is secure while also allowing a free flow of the data to relevant and authorized channels to provide and promote high-quality healthcare.  

While only a group of organizations, called covered entities (health plans, healthcare providers, healthcare clearing houses, and business associates) are obliged to adhere to the HIPAA Rule, the principles of the rule make up the basis of securing employee sensitive information, including mental health data, which are considered protected health information under HIPAA.

A core principle of the Rule is consent. Employees must be allowed to freely consent to releasing their sensitive mental health data, and must be adequately informed about the use, distribution, protection, and handling of such data.  For covered entities under HIPAA, such protected health information can only be disclosed by law to the owners of the data or their representatives and to the Department of Health and Human Services “when it is undertaking a compliance investigation.”

In cases where informal permission from the individual may be needed, such as sharing data for treatment purposes, payment purposes, health oversight activities, or to third parties for other legitimate reasons, the individuals must consent to such use or disclosures, unless consent is not legally required.  

These principles are essential to creating your data policies, and rebuilding trust in your organization. You need data to build a healthier workforce, therefore, employers must be transparent with how they handle employee mental health information to encourage more employees to volunteer their information.  


Employees want to see accountability. Employers want to see systems and mechanisms in place that show that their managers are willing to protect their sensitive information, as well as their mental health data.  

One way to demonstrate accountability in data privacy is to appoint a data protection officer (DPO) or designated officer who controls data collection, use, distribution, and sharing, and who is auditing, review, and external evaluation. Anyone who holds this position must also receive regular training on data protection compliance and must be updated on current local and global legislation and regulation on data privacy.

DPOs or the appropriate personnel reports to the highest management level in the organization, receive adequate and appropriate training, and maintain a high degree of independence in handling employee data.  

Further, a key principle of accountability per the HIPAA rule is collecting only personal information that is needed. In evaluating employees’ mental health concerns, limit data to only what is necessary and store it for only as long as it is needed to fulfill a clearly stated purpose. This limits how much employee data is available per time, lowering the risk of data theft.  

Where sharing of data to third parties such as payroll providers, external HR, or health companies, is applicable, employers must ensure such agencies are complaint with extant data protection regulations or requirements. Data breaches could begin at the weakest link in the data distribution channel, and it is duty of employers to ensure all parties that have access to employee mental health data have strong data protection policies in line with standard regulation.  

Data Security

It is the responsibility of organizations collecting data to secure them. Data security architecture depends on an organization’s size, the nature of the information processed, and the potential harm any data breach could cause.  

The first step to securing personal health information, such as employee mental health data, is to anonymize it. Anonymization tools, including data encryption models, remove identifiers from data, such that health information cannot be linked to the owner. Employers and DPOs may also leverage data security software technologies that offer malware blocking, advanced phishing detection, and data leak protection.  

Employers may also leverage blockchain technology, which allows storage of data as highly secured records of transactions in a decentralized network, which only designated persons with the private access key or code can access. One of the advantages of blockchain technology over traditional data storage processors is that the data re immutable and tamper resistant.  

It is important for employers to provide adequate training about data security not only to DPOs and other designated data handlers, but also to all employees. Employees can learn simple data protection systems, such as two-step authentication, to help secure data from their end as well.

Overall, data protection mechanisms must be reviewed and updated regularly to ensure employee personal health information is secured with the most updated architecture.  

Stay Data Protection Compliant

Seeking ways to rebuild employee trust and confidence through data privacy? The Certified Corporate Wellness Specialist program offers you a wide range of resources across several key concepts, including data safety, risk management, and policy design to ensure you meet global standards of data safety. What’s more, the certification demonstrates to your employees, clients, and potential customers that you are committed to aligning with global best practices.  

This corporate wellness training offers a comprehensive approach to rethinking the workplace culture, not only providing a third-party evaluation for your business, but also improving your policies and procedures, rebuilding trust, and giving you a competitive edge in today’s evolving corporate space.  

To learn more about CCWS, click here.  

Learn about how you can become a Certified Corporate Wellness Specialist→