One company advertised the names and home addresses of people with depression, anxiety, post-traumatic stress or bipolar disorder. Another sold a database featuring thousands of aggregated mental health records, starting at $275 per 1,000 “ailment contacts.”

For years, data brokers have operated in a controversial corner of the internet economy, collecting and reselling Americans’ personal information for government or commercial use, such as targeted ads.

But the pandemic-era rise of telehealth and therapy apps has fueled an even more contentious product line: Americans’ mental health data. And the sale of it is perfectly legal in the United States, even without the person’s knowledge or consent.

In a study published Monday, a research team at Duke University’s Sanford School of Public Policy outlines how expansive the market for people’s health data has become.

After contacting data brokers to ask what kinds of mental health information she could buy, researcher Joanne Kim reported that she ultimately found 11 companies willing to sell bundles of data that included information on what antidepressants people were taking, whether they struggled with insomnia or attention issues, and details on other medical ailments, including Alzheimer’s disease or bladder-control difficulties.

Some of the data was offered in an aggregate form that would have allowed a buyer to know, for instance, a rough estimate of how many people in an individual Zip code might be depressed.

But other brokers offered personally identifiable data featuring names, addresses and incomes, with one data-broker sales representative pointing to lists named “Anxiety Sufferers” and “Consumers With Clinical Depression in the United States.” Some even offered a sample spreadsheet.

It was like “a tasting menu for buying people’s health data,” said Justin Sherman, a senior fellow at Duke who ran the research team. “Health data is some of the most sensitive data out there, and most of us have no idea how much of it is out there for sale, often for just a couple hundred dollars.”

The Health Insurance Portability and Accountability Act, known as HIPAA, restricts how hospitals, doctors’ offices and other “covered health entities” share Americans’ health data.

But the law doesn’t protect the same information when it’s sent anywhere else, allowing app makers and other companies to legally share or sell the data however they’d like.

Some of the data brokers offered formal customer complaint processes and opt-out forms, Kim said. But because the companies often did not say where their data had come from, she wrote, many people probably didn’t realize the brokers had collected their information in the first place. It was also unclear whether the apps or websites had allowed their users a way to not share the data to begin with; many companies reserve the right, in their privacy policy, to share data with advertisers or other third-party “partners.”

Privacy advocates have for years warned about the unregulated data trade, saying the information could be exploited by advertisers or misused for predatory means. Health insurance companies and federal law enforcement officers have used data brokers to scrutinize people’s medical costs and pursue undocumented immigrants.

Mental health data, Sherman said, should be treated especially carefully, given that it could pertain to people in vulnerable situations — and that, if shared publicly or rendered inaccurately, could lead to devastating results.

In 2013, Pam Dixon, the founder and executive director of the World Privacy Forum, a research and advocacy group, testified at a Senate hearing that an Illinois pharmaceutical marketing company had advertised a list of purported “rape sufferers,” with 1,000 names starting at $79. The company removed the list shortly after her testimony.

Now, a decade later, she worries the health-data issue has in some ways gotten worse, in large part because of the increasing sophistication with which companies can collect and share people’s personal information — including not just in defined lists, but through regularly updated search tools and machine-learning analyses.

“It’s a hideous practice, and they’re still doing it. Our health data is part of someone’s business model,” Dixon said. “They’re building inferences and scores and categorizations from patterns in your life, your actions, where you go, what you eat — and what are we supposed to do, not live?”

The number of places people are sharing their data has boomed, thanks to a surge of online pharmacies, therapy apps and telehealth services that Americans use to seek out and obtain medical help from home. Many mental health apps have questionable privacy practices, according to Jen Caltrider, a researcher with the tech company Mozilla whose team analyzed more than two dozen last year and found that “the vast majority” were “exceptionally creepy.”

Federal regulators have shown a recent interest in more aggressively assessing how companies treat people’s health details. The Federal Trade Commission said this month that it had negotiated a $1.5 million civil penalty from the online prescription-drug service GoodRx after the company was charged with compiling lists of users who had bought certain medications, including for heart disease and blood pressure, and then using that information to better target its Facebook ads.

An FTC representative said in a statement that “digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information.” GoodRx said in a statement that it was an “old issue” related to a common software practice, known as tracking pixels, that allowed the company to “advertise in a way that we feel was compliant with regulations.”

After the Supreme Court overturned Roe v. Wade last summer and opened the door to more state abortion bans, some data brokers stopped selling location data that could be used to track who visited abortion clinics.

Several senators, including Elizabeth Warren (D-Mass.), Ron Wyden (D-Ore.) and Bernie Sanders (I-Vt.), backed a bill that would strengthen state and federal authority against health data misuse and restrict how much reproductive-health data tech firms can collect and share.

But the data-broker industry remains unregulated at the federal level, and the United States lacks a comprehensive federal privacy law that would set rules for how apps and websites treat people’s information more broadly.

Two states, California and Vermont, require the companies to register in a data-broker registry. California’s lists more than 400 firms, some of which say they specialize in health or medical data.

Dixon, who was not involved in the Duke research, said she hoped the findings and the Supreme Court ruling would serve as a wake-up call for how this data could lead to real-world risks.

“There are literally millions of women for whom the consequences of information bartered, trade and sold about aspects of their health can have criminal consequences,” she said. “It is not theoretical. It is right here, right now.”

Read More