Who Really Owns All Your Medical Data?

Posted on by

Sleep patterns. Heart rate. Menstrual cycles. Weight fluctuations. Medication schedules. The locations of the world’s top leaders . Every morning, millions of people put on smartwatches, open cycle-tracking apps, and upload their most intimate data to the cloud. We’re told this data will help us improve our health and live better. But beneath the surface lurks a darker question: who really owns all this information, and where exactly is the line drawn between optimization and surveillance?

Let’s start with the most important thing: what does HIPAA actually protect?

When discussing this topic with friends and family, almost everyone I knew assumed their medical data was protected by federal law under HIPAA (the Health Insurance Portability and Accountability Act). Unfortunately, they’re wrong. HIPAA applies exclusively to “covered entities,” meaning insurance companies and healthcare providers. A fitness tracker on your wrist? Not covered. A menstrual cycle app on your phone? Not covered. A sleep monitor by your bed? You get the idea.

“When we think we’re protected but aren’t, we’re exposed,” says Ron Zayas , online privacy expert and CEO of Ironwall by Incogni. “So when you allow a company to collect your medical data, it’s safe to assume two things: 1) you’re not protected by HIPAA, and 2) the company is going to sell your data.” The reason is simple: economics. Selling user information often generates more revenue than the product itself. Your medical data is incredibly personal, making it extremely valuable.

You may also like

What happens when we don’t have access to our health data?

I remember firsthand how my friends and I hastily deleted menstrual tracking apps after the Supreme Court overturned Roe v. Wade in 2022. What once seemed like simple tools for monitoring our cycles suddenly looked like potential evidence in criminal investigations. We feared that our menstrual data would be subpoenaed to prove abortions, and this fear wasn’t paranoid. As Zayas explains, governments can acquire the same data as anyone else and cross-reference it with location data from cell phones. “When you’ve had—or haven’t had—your period can indicate whether you’re pregnant or trying to conceive,” he says. “Governments can acquire this information and link it to your recent travel history to determine whether you’ve had an abortion or miscarriage.”

At the same time, I’m a sucker for all sorts of health-related ” optimizations .” I enjoy sharing my runs on Strava and checking my sleep score on Garmin. Beyond my personal preferences, health gadgets can be incredibly useful: they monitor blood sugar, track heart rate variability, and identify sleep disorders. But what if this data reveals you’re not exercising enough, eating poorly, or sleeping irregularly? Could your rates go up? Could your insurance be denied?

As with the fears surrounding menstrual cycle tracking, the real concern is that the same data streams that help you manage your health and make your daily life more “optimized” can be used to build insurance profiles, target advertising, or even make employment decisions if data sharing policies aren’t strictly controlled. Let’s dive into the details to understand where exactly your data is going and how you can protect yourself.

The fine print that no one reads

Julia Zhen, a third-party information security risk manager at a large nonprofit, says, “If you want to know what information is being collected and/or stored—which are two different things—start with the app’s privacy policy.” Furthermore, third-parties, such as the Google App Store, have their own terms of service, which creates multiple data collection points for investigation.

Zhen recommends a quick approach: look for keywords like “sell” or “share” in privacy policies to quickly understand what’s happening with your data. “In most cases, companies de-identify people from their data because they want to aggregate information and target specific demographics,” she explains. Such aggregation can still raise ethical concerns, but according to Zhen, it’s now standard practice in the industry.

Using this strategy, Zhen says she’s encountered privacy policies that brazenly admit to selling user data. And even when companies claim to anonymize information, protection isn’t absolute. Jacob Calvo , a cybersecurity expert and CEO of Live Proxies , says the risks of future re-identification still exist. Because even a giant like Apple can’t protect your data if you choose to share it outside of their ecosystem. Jake Peterson , senior technology editor at Lifehacker, says, “Apple has some good privacy policies to keep your medical data private, but if you choose to share it with outside sources, you lose that control.” In other words, if you share medical data directly with your healthcare provider through a health app and then delete it, Apple will no longer store it, but you may have no control over the data your healthcare provider has collected.

How to protect yourself in the age of digital health

Even if you trust a company’s privacy policy, another threat lurks: cybersecurity breaches. “The real risk we face every day is hackers and cyberattacks,” says Zhen.

Hackers are sophisticated and always ahead of security developments. Even if companies don’t intentionally sell your data, they may be reckless. Most privacy policies acknowledge their efforts to protect against attacks, but privacy breaches are common in the tech industry. Your carefully guarded medical information can be stolen and sold on the dark web, despite the company’s good intentions. Once leaked, your data can be used without your control and without any consequences.

When asked about menstrual tracking apps in the current political climate, Zhen says these service providers “may be more vulnerable to cyberattacks due to restrictive reproductive health laws.” It’s important to keep this in mind across all platforms: what information are you willing to risk?

However, this doesn’t mean a complete rejection of medical technology. Experts agree on several protective measures:

  • Read that damn privacy policy. Zhen advises going straight to the privacy policy for each data collection point and looking for keywords like “sell” and “share.” Most policies include information about data retention and a contact email address where you can request information about what information they store about you.

  • Understand what you’re giving up. Before downloading an app, understand exactly what data it collects and why. When in doubt, assume the worst in any privacy policy.

  • Practice good data hygiene . As a general rule, never share your mobile phone number with anyone. Use aliases for email addresses that you don’t use anywhere else. Use a VPN to hide your identity and location. Enable multi-factor authentication everywhere.

  • Don’t reveal too much information. Don’t share more information than is necessary for your purposes. Does the company need to know your exact date of birth or just the year? Do they need to know where you live? If not, don’t provide the information or feel free to lie when you can.

  • Please remember that a privacy policy is not a binding contract. Companies generally reserve the right to change their terms at any time.

Bottom line

The reality is that most people take all sorts of risks associated with data collection every day because modern life demands it. My goal isn’t to instill fear, but to help people make informed choices in what is ultimately a calculated gamble.

If you’re the type of person who posts on social media, downloads takeout apps, and accepts the risks associated with the convenience of modern technology, then “downloading a reputable health tracking app is generally acceptable—as long as the privacy policy doesn’t explicitly state that they sell your data,” says Zhen.

On the other hand, I’d argue that your health data is more intimate, more permanent, and potentially more dangerous than your food order history. If you want my opinion, we’re running a large-scale, uncontrolled health surveillance experiment, and we’re all guinea pigs. This technology offers real benefits: improved health, earlier disease detection, personalized medicine. But for these benefits, we sacrifice something valuable and little-studied: privacy, independence, and control over our most personal information.

The question isn’t whether we should use medical technology. For many people, the benefits are too significant to ignore. The question is whether we make this choice with full understanding of what we’re giving up, and whether the companies that collect our data can be held accountable if and when retribution comes.

More…

Fitness

Leave a Reply