Stop the unauthorized sharing and sale of people’s health information

Everyone has a right to know when health apps, devices and websites quietly share their health information across the internet.

Yet in many cases, this data is widely for sale online without any notice. No hacking is required to get at it because private companies legally gather it and sell it. Individual users may have no idea that companies they never heard of know their heartbeats, the number of steps they take, and their walking and running distances.

Customers often enter their blood pressure, weight and other information into apps so they can keep track of their health. Others use therapy apps to help treat their mental health. That data, too, can be gathered and sold.

The risk is that such information can be used against a person who is applying for a job or health insurance, for example. In some states, authorities might subpoena data from women to see who might be thinking of getting an abortion.

All this trafficking in health information should not be going on in the shadows. But it does, because data collected by devices is not covered by the federal Health Insurance Portability and Accountability Act (HIPPA), which applies to physicians, hospitals and others in the health care industry.

‘It’s their information’

A bill was introduced Friday in the Illinois House to require business entities in Illinois that vacuum up health data to get customers’ consent before they share it. The companies would have to disclose what information they are collecting and who they are going to share it with. It’s not a big ask, and Illinois ought to make it a law. Individuals’ private health information should not be going viral on the internet.

“There are a lot of companies brokering that data,” said state Rep. Ann Williams, D-Chicago, who introduced the bill. “It’s a matter of very personal data being shared, and people have a right to control that. It’s their information.”

Many users love their wearable devices and apps because they can be effective tools in managing personal health improvement programs. And going online to look up medical information is a quick way to get preliminary answers.

But that doesn’t mean their health data should be public.

Some companies are more vigilant than others in making sure their customers’ personal data is not widely shared. But other companies don’t adhere to strong, or any, guidelines. We don’t have to accept that. There’s no need for any business entity that collects health data to surreptitiously hand that personal health information over to other companies they think they can use it to make a buck.

Medical privacy has become a national issue. In Virginia, Republican Gov. Glenn Youngkin’s administration helped defeat a bill last week that would have shielded menstrual data stored on period-tracking apps from law enforcement.

Also last week, the Federal Trade Commission filed a complaint against GoodRx, accusing the company of sharing consumer’s health information with advertisers. In Louisiana, a class-action lawsuit filed earlier this month alleges that visitors to health system websites may have had their medical conditions, prescriptions and other information shared with Meta, Facebook’s parent company.

According to a Washington Post report, one company advertised the names and addresses of people with depression, anxiety, post-traumatic stress or bipolar disorder. Another sold a database featuring thousands of aggregated mental health records.

Duke University’s Sanford School of Public Policy reported last week online brokers “advertised highly sensitive mental health data on Americans including data on those with depression, attention disorder, insomnia, anxiety, ADHD, and bipolar disorder as well as data on ethnicity, age, gender, zip code, religion, children in the home, marital status, net worth, credit score, date of birth, and single parent status.”

This not only invades people’s privacy. It also may deter people from seeking health assistance because they have no idea where their personal data might crop up and they fear who might see it.

No one is asking people to give up the benefits that wearable devices, health apps and websites can provide. But everyone should know if their data is being collected, shared and sold — and have the right to prevent it.

The Sun-Times welcomes letters to the editor and op-eds. See our guidelines.