It may be time to reconsider signing up to that digital mental health platform as recent investigations have unravelled how vendors and data brokers are selling people’s mental health information and data for as low as six cents.
According to an article first published on the Washington Post, one company advertised the names and home addresses of people living with depression, anxiety, and post-traumatic stress disorder or bipolar disorder, while another company sold an entire database of aggregated mental health records for $275 per 1000 ailment contacts.
For many years, social media platforms and other apps have been in the controversial business of collecting users’ personal information, including name, age, location, as well as social interests, and selling them for commercial purposes. But the new market now involves selling users’ mental health data, and for as low as six cents.
But how easy is it to sell one’s mental health data, one might wonder? Recent findings have revealed that it is as easy as trading your old furniture.
An investigation led by a research team at Duke University’s Sanford School of Public Policy recently released these scary findings. The team contacted 37 data brokers to ask about buying mental health data, and they found 11 of these brokers were more than willing to sell bundles of people’s data.
Surprisingly, these bundles of data included detailed information about patients’ mental health diagnoses, what antidepressants or antipsychotics people were using, and what other mental health problems they have. Information offered also included personally identifiable data, including names, age, race, credit score, postcodes, Zip codes, and incomes of the patients.
Although the researchers did not buy these data, they were astounded when they received “free samples” of these data from some brokers to prove that they were legitimate and had a pool of these much-needed data.
Another data broker charged $0.20 per health record and required purchasers to buy $2,000 worth of data. Another broker offered to provide highly sensitive health data of persons suffering from a number of conditions, including bipolar disorders and personality disorders with no restrictions on how the buyers could use them.
Typically, these data are bought by companies for commercial purposes, including sending targeted ads and other sales initiatives, without the owner of the data ever knowing they are being trailed and targeted.
While the Health Insurance Portability and Accountability Act (HIPPAA) does restrict how healthcare providers, so called covered health entities, collect, use, share, and store data, the rule does not cover companies outside these covered entities, such as mobile apps and tech companies. Essentially, this means most people involved in this business of unregulated data trade may not necessarily be flouting any legislation.
Even with HIPPA restrictions, the rule still allows health organizations and other covered entities to share health data with drug companies and research organizations to aid advances in medicine as long as the data are de-identified; however, data miners have developed sophisticated methods to harvest these data, marry anonymized data from multiple sources, and re-identify these data with a considerable degree of accuracy.
Experts have also cited the ambiguity in the definition of “covered entities” as a weakness in the HIPAA rule, and a reason for continuous illegal mining of health data from mobile applications that are health-related, such as telemedicine sites.
Even in regions where data privacy laws are stronger, such as the UK and much of Europe with the General Data Protection Regulation (GDPR) rules, hundreds of UK’s most popular health websites sell and share people’s sensitive mental health data, including medical diagnoses, drug names, and treatment history with companies around the world, such as Google, Amazon, and Facebook.
Knowledge of an individual’s health records allows companies to sell specific treatments, products, or financial services they think users may need desperately. Insurance companies could also leverage this free flow of data to tweak your premiums, social media pages buy data to direct ads and improve their sales strategies.
With more outlets to collect data, including mobile apps, social media pages, and other AI-enabled tools, there is much more mental health data that these data miners can cross-reference to re-identify anonymized data collected about a particular person from multiple sources, almost accurately.
Since the U.S. has no comprehensive legislation at the federal level to curb data trade and regulate how these companies use and share people’s information, this industry has been allowed to grow and transform into a billion-dollar data trade market thriving on people’s sensitive health information.
With the surge of mental health apps on the market, there are now more data outlets for data miners and brokers to access. Therefore, your mental health information may no longer be private. So, these beg the question: how confident are you in your company’s mental health provider; is your employee mental health provider selling your mental health data for commercial purposes? Are you aware of how your sensitive mental health information is being used and shared?
These striking findings are a call to employers to re-evaluate data privacy and rethink who collects and can access employee mental health data. This requires a redesign of employer mental health programs and platforms to limit access to employees’ sensitive mental health information.
Safety of mental health data is an essential index in the workplace, and employees need to feel their health data are protected and only accessible by people who should help them. Employers need to provide clear policies and frameworks on data collection and use to win the trust of employees in these unprecedented times.
Global Healthcare Accreditation for Business
Global Healthcare Accreditation empowers business owners and organizations to redesign the culture of work to align with global best practices and to attract the best talent. Data protection is one of the most important aspects of the workplace culture, and a pivotal element evaluated by GHA.
Organizations with this seal and accreditation demonstrate to employees and clients their commitment to a culture that promotes employee wellbeing and safety, and one that will not breach employees’ trust.
To learn more about GHA, click here.