Your most sensitive health information is being bought and sold without your knowledge. Health data brokers operate in a $9 billion industry that trades in prescriptions, diagnoses, fitness data, and pharmacy purchases, often with zero oversight from HIPAA. Here is what you need to know to protect yourself.
What Are Health Data Brokers?
Health data brokers are companies that specialize in collecting, aggregating, and selling medical and health-related information about individuals. Unlike your doctor or hospital, these companies operate largely outside federal health privacy regulations. They compile detailed health profiles that can include:
- Prescription histories including medications, dosages, and refill patterns
- Medical diagnoses and treatment records obtained from various sources
- Fitness app data including workout routines, heart rate, sleep patterns, and GPS routes
- Pharmacy purchases including over-the-counter medications and health products
- Insurance claims and billing records
- Wearable device data from smartwatches and fitness trackers
A landmark Duke University study revealed that data brokers openly sell sensitive mental health data, including information about individuals with depression, anxiety, bipolar disorder, and PTSD. This data was available for purchase with minimal vetting of buyers.
How Health Data Brokers Get Your Information
These companies use multiple channels to build comprehensive health profiles:
Health and Fitness Apps
Many health apps share data with third parties despite reassuring privacy policies. Period trackers, mental health apps, calorie counters, and meditation apps have all been caught sharing user data with brokers and advertisers.
Pharmacies and Loyalty Programs
Pharmacy loyalty cards and rewards programs track every purchase you make. This data, including prescriptions filled, health products bought, and visit frequency, can be shared with data brokers through partnerships and data-sharing agreements.
Insurance Companies
Health, life, and dental insurance companies may share de-identified claims data that brokers can re-identify by combining it with other data sources.
Wearable Devices
Smartwatches, fitness trackers, and connected medical devices transmit detailed biometric data. Many manufacturers monetize this information through data partnerships.
Public Records and Surveys
Health surveys, clinical trial registrations, and even social media posts about health conditions all feed the broker ecosystem.
The HIPAA Gap You Need to Know About
HIPAA only protects health information held by covered entities such as doctors, hospitals, and insurance companies. It does NOT cover health apps, fitness trackers, data brokers, pharmacies acting outside their provider role, or employers. This means the vast majority of your digital health data has zero federal protection.
Why Health Data Broker Activity Is Dangerous
The sale of health data creates serious real-world consequences:
- Insurance discrimination: Life and disability insurers can use purchased health data to deny coverage or increase premiums based on conditions you never disclosed to them
- Employment discrimination: Employers purchasing health data may make hiring or promotion decisions based on perceived health risks, even though this violates federal law in many cases
- Targeted scams: Scammers purchase lists of people with specific conditions to run targeted fraud schemes offering fake treatments or cures
- Personal embarrassment: Sensitive health conditions becoming publicly associated with your name can cause social and professional harm
- Financial exploitation: People with chronic conditions are targeted with predatory financial products and overpriced supplements
Warning: Your Mental Health Data May Already Be for Sale
The Duke University study found that mental health data was available for purchase for as little as $0.01 per record. Brokers sold lists categorized by specific conditions including depression, anxiety, and substance abuse, with no verification of buyer intent. California enforcement actions in 2026 have targeted several brokers for illegally selling mental health records without consumer consent.
How to Protect Your Health Data
Take these steps to reduce your exposure to health data brokers:
1. Audit and Limit Health App Permissions
Review every health and fitness app on your phone. Revoke unnecessary permissions, especially location access, contacts, and data-sharing toggles. Delete apps you no longer use, as they may continue collecting data in the background.
2. Opt Out of Pharmacy Data Sharing
Contact your pharmacy and explicitly opt out of marketing and data-sharing programs. Major chains like CVS, Walgreens, and Rite Aid all have opt-out processes, though they rarely advertise them. Cancel pharmacy loyalty cards that track purchases.
3. Review Health App Privacy Policies
Before downloading any health app, check whether it sells or shares data with third parties. Look for apps that are HIPAA-compliant by choice, use end-to-end encryption, and have clear data deletion policies.
4. Exercise Your State Privacy Rights
Under CCPA and similar state laws, you have the right to request what data companies hold about you and demand its deletion. Send data access requests to health data brokers to understand your exposure. Several states now have specific health data privacy laws that go beyond CCPA.
5. Use PrivacyOn to Remove Your Data From Brokers
Manually opting out of dozens of health data brokers is time-consuming and must be repeated regularly as they re-acquire your information. PrivacyOn monitors over 100 data broker sites continuously and submits removal requests on your behalf, including brokers known to trade in health data. This provides ongoing protection rather than a one-time fix.
6. Minimize Your Digital Health Footprint
Use privacy-focused alternatives where possible. Consider tracking health metrics with offline-only apps, paying cash for sensitive pharmacy purchases, and using a VPN when accessing health-related websites to prevent tracking.
The Regulatory Landscape Is Changing
California enforcement actions in 2026 have resulted in significant fines against health data brokers operating without proper consumer consent. The FTC has also increased scrutiny of health apps that share data without adequate disclosure. Washington state and Connecticut have passed dedicated health data privacy laws that cover information HIPAA misses.
However, regulation alone will not protect you. The gap between what the law requires and what brokers actually do remains wide. Proactive steps to limit your data exposure remain essential.
Take Action Today
Health data is among the most sensitive information that exists about you. Unlike a credit card number that can be changed, your medical history is permanent. Taking steps now to remove your health data from broker databases and limit future collection is one of the most impactful privacy actions you can take.
Ready to remove your health data from broker sites? Try PrivacyOn today and start reclaiming your medical privacy.