Once COVID-19 hit, the demand for mental health services skyrocketed, and with in-person care suspended, many turned to digital services — which led to a disturbing breach of data privacy.
The Duke Sanford School of Public Policy conducted a data brokerage study that found sensitive mental and physical health information was being collected, aggregated, bought, and sold by digital mental health service apps. And those services, in many cases, were not bound by HIPAA regulations.
The list of buyers of the personal health information is vast that includes banks and other financial institutions, US law enforcement agencies, advertising firms, insurance providers — and scammers.
Some digital health service platforms priced the health data of its customers between $200 and $5,000, while others offered subscriptions that doled out information monthly for $75,000 to $100,000.
So what's up for sale? The study found that some services were selling data on anonymous customers, others sold information that included a person's age, sex, race, postal code, and mental health status.
Earlier this month, the Federal Trade Commission filed an order with the Justice Department against GoodRx, a leader in American healthcare and operator of a telemedicine platform, for illegally sharing user information with advertising behemoths like Facebook and Google. The company has since agreed to pay a $1.5 million fine. If the suit is honored in court, it would ban GoodRx from sharing sensitive personal data with third parties.
