Your Mental Health Information May Be for Sale

A recent study demonstrates the privacy risks of using health and wellness apps

When you seek out mental health services from an authorized healthcare provider in the U.S., your PII (Personal Identifiable Information) and any sensitive private conversations you have with your provider are likely privacy-protected under the Health Insurance Portability and Accountability Act (HIPAA).

But what if you’re among the growing group of Americans who have turned to mental health and wellness apps, wearable devices, or social media platforms as an alternative to seeking treatment for mental or emotional issues? When these platforms collect your personal data, is your privacy being protected?

The answer, quite often, is no. HIPAA doesn’t cover most of these alternative or supplemental healthcare platforms, including apps owned by private companies, so they are not legally obligated to keep your data confidential. A recent study has confirmed that so-called data broker websites are gladly scooping up people’s mental health information from these platforms and selling it—legally—to advertisers and other third parties.

If an advertiser purchases your mental health data so it can attempt to sell you on treatments and services, you might consider that to be an invasion of privacy. If an unscrupulous third party acquires your identity data linked with your mental health records, the information could be misused for identity fraud; or it could be otherwise used against you in your personal or professional life.

Here’s a look at the major findings from the data broker study; what to do if your data winds up for sale on data broker websites; and what you can do to help ensure that the full scope of your identity—including your mental health data—remains private.

Many data brokers are willing to sell mental-health information

A 2023 study published by Joanne Kim of the Duke University Sanford School of Public Policy found that people who use personal devices or health tracking apps for mental health needs are “often unknowingly putting their sensitive mental health data at risk.” Unrestricted health apps and devices are generally able to “legally share, license, and sell users’ health data ... to third parties without users’ knowledge or consent.”

This health data often winds up in the hands of data brokers. The report revealed that many data brokers “advertise and are willing and able to sell data concerning Americans’ highly sensitive mental health information.” Among the data brokers contacted by the study author, 30% responded that they were willing and able to sell mental health data. Many of the responding data brokers implied that “they have the capabilities to provide identifiable data,” according to the report.

Some data brokers were willing to sell data on highly sensitive mental health concerns including depression, attention disorder, insomnia, anxiety, ADHD, and bipolar disorder. At least one of them was prepared “to sell data on depressed and anxious individuals at the author’s budget price of $2,500, and stated no apparent, restrictive data-use limitations post-purchase.” The data for sale included individuals’ names and addresses.

Do your homework before using a health app

None of this means that you should completely avoid health or wellness apps and devices. But it’s on you to protect yourself. Before using any of these platforms, find out exactly how the app maker protects your data and how they intend to use it. Carefully read both the privacy policy and the terms and conditions, and choose the strongest possible privacy settings.

How to get your data removed automatically

If your sensitive health data (or any other personal information) is sold to or collected by a data broker, you can directly request that the information be removed. However, you’ll have to do this manually—data brokers design the removal process to be as complex and time-consuming as possible. Keep in mind that if you find your information on one data broker site, it’s likely to be on several. Each data broker has its own removal process, so you’ll have to manually go through different steps for each one.

To handle this process, consider an automated solution like IDX’s ForgetMe Personal Data Removal tool. It continuously scans more than 100 major data broker sites to determine if your personal information is available for sale. If it finds a match for your data, it automatically handles the removal process for you. Should your information later reappear on any of these sites—as it often does, because these brokers are persistent—ForgetMe will automatically repeat the process until your data is permanently removed.

Data brokers are only part of the story—get full protection

For comprehensive protection of your privacy and identity, consider a proactive plan like the IDX Complete Plan. It offers a wide range of advanced tools and services like ForgetMe, along with Tracking Blocker, which helps prevent your personal data from being collected and tracked across the web, and CyberScan, which continuously monitors all layers of the web to search for breaches of your personal data. It also provides access to IDX’s dedicated care team, who are experts at identity recovery.

Your mental and emotional concerns are among the most confidential aspects of your identity; when you use an app or smart device to help monitor or treat issues, you deserve privacy. Unfortunately it doesn’t always work out that way, as the data-broker study proves. Be sure to carefully vet health or wellness platforms and choose strict privacy settings. And for full protection, get comprehensive privacy and identity coverage that includes automated data removal.