A new study by Duke University has shed light on the concerning issue of sensitive mental health data being sold by little-known data brokers. The report found that buying this information is surprisingly easy, with 11 out of 37 data brokers the researchers approached agreeing to sell information that identified people based on issues such as depression, anxiety, and bipolar disorder.
This information was often sorted based on demographic data like age, race, credit score, and location. The study found that the data brokers were often cavalier with this sensitive information, with one broker making no demands on how the information would be used and advertising the availability of names and addresses of people with mental health conditions.
The study found that the industry appears to lack a set of best practices for handling individuals' mental health data, particularly with regards to privacy and buyer vetting. Prices for rented and sold mental health records varied widely, but some firms offered them for as low as $275 for information on 5,000 people.
The Influx of Mental Health Apps
The use of apps offering counseling and mental health services has increased in recent years, and this trend was only accelerated by the COVID-19 pandemic. In 2020, the FDA eased its recommendations against unvetted mental health apps due to a combination of pandemic-related stress and the push for remote healthcare.
Data brokering is a thriving but largely unknown industry that deals in the buying, repackaging, and selling of people's personal information. Companies in this industry are rarely household names and often say little publicly about their business practices. Congress has so far failed to pass significant legislation regulating this industry, which spends millions on lobbying.
The US does not have an overarching privacy law that protects people's private and personal information from being bought and sold. Some medical information can be protected under laws like HIPAA (Health Insurance Portability and Accountability Act), but these laws only apply when the information is held by a covered entity like a hospital or certain health care organizations.
Most phone apps, which store health data, are not regulated under HIPAA, leaving data brokers with a number of legal options to purchase such data.
A 2021 investigation by Consumer Reports found that some popular mental health apps were selling user data to advertising companies, including Facebook. Facebook did not respond to a request for comment, but told Consumer Reports that it did not have agreements restricting its use of mental health companies' user data.
The executive director of the World Privacy Forum, Pam Dixon, warned against concluding that mental health information was more widely traded than other personal information and stated that the data brokering industry was out of control. Dixon highlighted the confusion around health care privacy and the difficulty for the average person to understand what health information can be expected to remain private.
She also emphasized that someone is buying this data, or there would not be a business model for it. The study by Duke University highlights the need for better regulation and protections for individuals' mental health data, as well as increased public awareness of the practices of data brokers. With the growing use of mental health apps and services, it is crucial to ensure that users' data is handled with appropriate privacy and security measures.