Is Someone Stealing Your Health Data?

Men's-Journal_2
 Eric Chow

When the news broke in March that Facebook had allowed third-party apps to harvest troves of data from its users to influence U.S. elections, people (rightfully) freaked out. Now here’s something else to worry about: Facebook and others are turning your personal health information into a hot business commodity.

 

In 2017, Facebook held a widely reported health summit for pharmaceutical companies to propose ways that user “likes” and demographic information could be enlisted to better target drug ads.

After Facebook was outed in the recent scandal, CNBC reported that the company was looking into selling user information to hospitals and medical institutions, including Stanford Medical School and the American College of Cardiology, which are eager to identify patients and build digital profiles that might include diagnoses, tests, prescriptions, and even sex-drive data. That project was put on hold after the Cambridge Analytica debacle, but CEO Mark Zuckerberg confirmed in congressional testimony that his company collects medical information on users. (Facebook declined to comment for this story.)

Facebook may be among the biggest players, but it’s far from alone. This health data can be found in your posts, app downloads, fitness trackers, and phone activity, where it can be gathered and sold to companies eager to know who might need medical products and services. What Facebook has attempted to do is only a snippet of the kinds of health privacy violations hanging over the online world. Now, or in the near future, these could threaten your employability, health-care costs—even your reputation. “Companies want to control and make money off your health data, and what we’re seeing is just the beginning of a wave of specialized apps that will gather information on people’s diseases and mental health,” says Luke Stark, a technology researcher at Dartmouth College and Harvard University. “This is a big deal, and it’s frustrating that right now there’s little an individual consumer can do about it.”

So what do companies do with your health data, anyway? In some cases it might go to researchers and clinicians who need it to improve treatments, and that could be a good thing, Stark says. “Health care wants to move toward personalized medicine, and they need data about you to provide better care,” he says.

But, Stark adds, most organizations looking to grab the data have marketing in mind. Health care is a $3-trillion-plus business that’s expected to spend $10 billion on advertising this year. To get their money’s worth, companies want all those ads ending up in front of people whose health profiles make them good candidates.

The problem is that there’s no official protection whatsoever for health information unless it’s in a formal health record of the sort your doctor or insurance company would keep. Mention on Twitter that you’re heading to the drugstore for allergy medicine, or post an Instagram photo that shows you’re overweight, and it’s all fair game for anyone hoping to build a sellable health profile.

The information doesn’t have to be explicitly heath-related, either. Retail giant Target has tracked purchases of toiletries to help determine which of its customers were likely pregnant. Michigan State University researchers were able to identify illegal-drug users by looking for the use of certain types of comments in online posts. And other researchers have linked specific language and images in posts to depression. Any company or individual could do the same—including an employer eager to get rid of employees with health challenges, or an insurance company willing to raise rates on or deny coverage to someone with an illness, a genetic predisposition to disease, or a higher-risk lifestyle.

Slower daily runs, waking earlier, fewer check-ins at restaurants and bars—such behavior changes are easy to spot on social media, and can be linked to possible health problems.

And if you’re one of the millions of users who participate in patient-support groups on Facebook or other platforms, the risks of profiling are that much higher. Facebook has allegedly bragged to advertisers it can place users in 154 different medical categories. And in 2016, Facebook was sued over claims it was targeting health-related ads based on information on its users pulled from cancer websites. Brian Loew, the CEO of the patient support site Inspire, which has 1.5 million members, notes that the company’s systems sometimes detect outside bots poring over posts on his site. “They’re trying to extract information, but we block them,” Loew says.

Phone apps are a big potential source of leaky health data, too. If you’re using any of the tens of thousands of free and inexpensive apps available to help with dieting, family planning, stress, or virtually any health-related activity or condition, it’s wise to assume the company providing the app is prepared to use the data you plug in to its benefit—including selling it. A 2013 study by the privacy-compliance consultancy Evidon, which dove in to the top 20 fitness apps, including MapMyFitness, WebMD Health, and iPeriod, turned up as many as 70 marketing firms that were the recipients of users’ health data.

The risks of having your health status turned into a product only climb if you wear a Fitbit, Apple Watch, or other wearable fitness and tracking device. Some 50 billion objects on your body, in your home, and sprayed throughout your environment are expected to be Internet- connected over the next 10 years. Think refrigerators, scales, toilets—even bathroom mirrors.

In a sense, we all help bring this situation on ourselves by entering into the standard Faustian bargain of social media and app use. “If you’re using a consumer app, more often than not you’re getting it for free in exchange for giving up data about you,” says Rick Valencia, president of Qualcomm Life, a health-oriented offshoot of the communications chip-making giant. “Once you agree to the licensing agreement, the deal is done. As long as consumers keep blithely clicking, the companies that mine the data are likely to get only better and bolder.”

Don’t count on the government for protection, either. Health privacy laws apply only to data held by doctors, hospitals, pharmacies, health insurers, medical billing companies, and other mainstream health care players. Even if a social media platform or an app promises not to sell your data, don’t trust it. Their terms and conditions have loopholes large enough to drive an ambulance through.

“It’s a pretty significant gap in consumer protection,” says Aneesh Chopra, the former chief technology officer in the Obama administration and now the president of CareJourney, a company that helps hospitals analyze data patients have consented to provide. “Our health data effectively becomes the commercial property of the platforms we use.” Chopra helped draft a proposed law to protect that data in 2012, but Congress wouldn’t consider it; legislators have been loath to hamper the golden goose that is tech and are fairly clueless about how far the misuse of private data would go, as underscored by the recent congressional hearings over Facebook.

For now, you’re on your own in preventing your health info from being turned into a product. There are a few steps you can take. When you can, look for FDA-certified health apps and wearable devices, because they fall under the same privacy rules that apply to hospitals. Unfortunately, only a tiny minority of health apps and devices get that certification, as they’re typically for specific diseases or conditions, such as cardiac issues and diabetes management.

For all apps, health or otherwise, adjust privacy options, and use pseudonyms when possible. Also, Google offers options to prevent it from ever tracking anything about you. For the apps you use most, do a web search on their trustworthiness and privacy. (Facebook recently suspended 200 apps for privacy violations.) And in general, be selective about what behavioral and health information you post online and plug into apps, especially where it’s public and linked to your name.

Of course, the best of all possible worlds is simply to stay healthy. That will make your data way too boring for most health-care companies to bother.