Your Health Data Is for Sale — and Most of It Isn't Covered by HIPAA

When you search for symptoms on WebMD, use a period tracking app, fill a prescription at a pharmacy, or download a mental health app, data about your health is being collected. Much of it is being sold. Most of it is not covered by HIPAA. This is not a future privacy risk — it is the current operating reality of the US health data market, and it is larger, more detailed, and more consequential than most people realize.

The HIPAA Gap Is the Core Problem

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, applies to "covered entities" — hospitals, physician practices, health insurers, and their business associates. What it does not cover is the broader universe of health-related services that have grown dramatically since 1996: fitness tracking apps, mental health apps, genetic testing services, wellness platforms, fertility apps, symptom checkers, pharmacy benefit managers' non-covered data flows, and the data broker industry that aggregates and resells health information.

This creates a structural gap. Your cardiologist cannot sell your medical records without your consent. Strava can sell data about the distance and pace of your runs, which combined with demographic data can be used to infer your cardiovascular health. The cardiologist's behavior is regulated. Strava's, legally, is not — at least under HIPAA.

Who the Health Data Brokers Are

The health data brokerage industry is large and largely invisible to consumers. The major players operate under names unfamiliar to most people. IQVIA (formerly IMS Health, the oldest and largest) aggregates pharmaceutical sales data, prescription records, and clinical information from hundreds of thousands of data suppliers — pharmacies, hospitals, labs, insurers — and sells it primarily to pharmaceutical companies for market research and drug launch planning. The company processes data on over 5 billion patients globally.

Definitive Healthcare and Komodo Health are more recent entrants focused on the US market. They provide healthcare commercial intelligence — detailed data on prescribing behavior, patient journeys from diagnosis to treatment, procedure volumes, hospital referral patterns. Their primary customers are pharmaceutical companies optimizing sales representative targeting and payers analyzing utilization patterns.

These companies are not selling data in a way that directly identifies you by name to advertisers — their primary business is B2B analytics. But the de-identification standards they use are often technical, not practical: data that is "de-identified" by regulatory standards has been re-identified in published research repeatedly. The combination of age, ZIP code, and a rare diagnosis is often sufficient to re-identify an individual in a dataset.

The App Problem: Mental Health and Fertility Data

The health app category carries the sharpest privacy risks because it collects the most sensitive categories of data with the least regulatory oversight.

BetterHelp, the online therapy platform that grew rapidly during the pandemic, was fined $7.8 million by the Federal Trade Commission in March 2023 for sharing user mental health information with Facebook and Snapchat for advertising targeting. Users had sought help for anxiety, depression, and trauma; their data was being used to create ad targeting segments. The FTC order required BetterHelp to obtain explicit consent for any health data sharing with third parties going forward and to notify affected users.

GoodRx, a prescription drug pricing service, settled with the FTC in February 2023 for $1.5 million over sharing users' prescription information — including specific drug names — with Facebook, Google, and Criteo for retargeting advertising. Someone who searched for an HIV medication or an antidepressant on GoodRx had that information shared with ad networks.

Period tracking apps became the center of a specific privacy debate after the US Supreme Court's Dobbs v. Jackson ruling in June 2022 overturned federal abortion rights. The concern: if abortion can be criminally prosecuted at the state level, and period tracking data can establish that a user was pregnant and then stopped being pregnant, that data becomes potentially relevant to legal proceedings. Several apps — including Flo and AF Period Tracker — updated their privacy policies and data-sharing practices after 2022. Flo introduced an "anonymous mode" that severs identifiable information from health tracking data. Whether these protections are technically sufficient is debated.

The 23andMe Precedent

23andMe's bankruptcy filing in March 2024 created a specific alarm: the company had collected DNA from approximately 15 million customers, and bankruptcy proceedings raised the question of who would acquire that genetic database and under what terms. DNA data is uniquely sensitive — it reveals information about relatives who never consented to testing, it cannot be changed (unlike a password), and it can be used to infer health predispositions, ancestry, and identity.

The California Attorney General issued guidance in March 2024 urging 23andMe customers to delete their data while they could, citing the bankruptcy as a trigger event for reassessing consent. Several class-action lawsuits were filed. The bankruptcy court ultimately required that any acquirer of 23andMe's assets maintain the existing privacy policy, but critics noted this constraint is difficult to enforce long-term and that privacy policies can be amended after acquisition.

The 23andMe situation established that genetic data companies carry a tail risk that other health data companies do not: the combination of scale (millions of users) and permanence (DNA doesn't expire) means a single acquisition or bankruptcy event can have long-duration privacy consequences.

The Location Data Overlay

Location data, sold by the data broker industry (see the broader data broker economy), becomes health data when it is combined with geographic inference. Visiting an oncology clinic, a psychiatric hospital, an abortion provider, or an addiction treatment center can be inferred from mobile phone location data. The Dobbs ruling made this overlap explicit: law enforcement or private litigants in states with abortion bans could theoretically request location data from brokers to establish whether a person visited a reproductive health clinic.

SafeGraph, a major location data broker, agreed to stop selling data about visits to abortion clinics and other sensitive health locations in 2022 following public pressure. Several other brokers made similar commitments. But these were voluntary commitments, not legal requirements, and enforcement is difficult.

The Legal Landscape Is Changing

Washington State's My Health MY Data Act, signed in May 2023 and effective March 2024 for large businesses, is the most comprehensive US health privacy law outside HIPAA. It covers health data processed by any company that does business in Washington — regardless of whether that company is a HIPAA covered entity — and requires affirmative authorization (opt-in consent) before collecting or sharing consumer health data. It applies to period app data, fitness data, mental health data, and location data used to infer health status.

Texas and Nevada have passed similar laws. Several states have bills pending. The prospect of a federal consumer health privacy law has been discussed in Congress but has not advanced to passage as of 2026.

The FTC has increasingly used its Section 5 authority (prohibiting unfair or deceptive practices) to bring health data actions even without specific legislation — the BetterHelp and GoodRx cases are the most prominent examples. In April 2024 the FTC published a policy statement indicating it views the sharing of health data for advertising purposes without meaningful user consent as unfair under Section 5.

What You Can Actually Do

The practical steps for reducing health data exposure are limited but meaningful. Review the privacy policy of any health or wellness app before using it — specifically whether it sells or shares data with "third parties" and whether "de-identified" data is explicitly excluded from that language. Washington's My Health MY Data Act has given consumers in that state the right to access and delete health data held by covered entities; if you are in a covered state, those rights are enforceable.

For sensitive health searches, using a private browser session (which prevents browser history from being shared with ad networks) reduces but does not eliminate tracking — advertisers can still identify you via IP address and browser fingerprint. For period tracking, Euki and Drip are apps designed specifically with data minimization and local-only storage in mind.

For genetic testing, the data ship has largely sailed for people who have already tested. For those considering testing: read the terms of service on data sharing, understand what "research consent" means in the context of the specific company's business model, and consider whether the results are worth the permanent data exposure.