Who Really Owns All Your Health Data?

Sleep habits. Heart rates. Menstrual cycles. Weight fluctuations. Medication schedules. The location of major world leaders. Every morning, millions of people put on smartwatches, open period tracking apps, and upload their most intimate information to the cloud. We are told that this data will optimize our health and help us live better lives. But a darker question lurks beneath the surface: Who really owns all this information, and where exactly is the line between optimization and monitoring?

First: What HIPAA Really Protects

In discussing this topic with friends and family, almost everyone I know has assumed that their health data has strong federal protections under HIPAA (the Health Insurance Portability and Accountability Act). Unfortunately, they are wrong. HIPAA applies exclusively to “covered entities,” meaning health plans and health care providers. The activity tracker on your wrist? Not covered. The period tracking app on your phone? Not covered. The sleep monitor next to your bed? You see the picture.

“When we think we’re protected and we’re not, that’s when we’re in danger,” says Ron Zayas, online privacy expert and CEO of Ironwall by Incogni. “So when you let a company collect your health data, you can safely assume two things: 1) you are not covered by HIPAA protections. and 2) the company is going to sell your data.” The reason is simple: economic. Selling user information often generates more revenue than the product itself. Your health data is extremely personal, which makes it extremely valuable.

What happens when we don’t own our health data

I personally remember the time my friends and I frantically deleted period tracking apps after the Supreme Court overturned Roe v. Wade in 2022. What once seemed like simple tools for monitoring my cycle suddenly looked like potential evidence in criminal investigations. We were terrified that our menstrual data could be subpoenaed to prove that we had an abortion, and this fear was not paranoid. As Zayas explains, governments can buy the same data as anyone else and cross-reference it with mobile phone location information. “When you’ve had or missed your period, it can imply whether you’re pregnant or trying to get pregnant,” he says. “Governments can buy this information and link it to your recent travel to decide whether you had an abortion or miscarriage.”

At the same time, I like all kinds of health-related “optimizations”. I love sharing my runs on Strava and checking my sleep score on my Garmin. My vanities aside, health gadgets can provide life-changing benefits: blood sugar monitoring, heart rate variability tracking, detecting irregular sleep patterns. But what happens when that data shows you’re not exercising enough, eating poorly, or sleeping irregularly? Could your prices increase? Could you be denied coverage?

As with period tracking fears, the real concern here is that the same data streams that help you feel in control of your health — and that make your daily life more “optimized” — can be exploited for insurance profiling, targeted advertising, or even employment decisions, if data sharing policies are not strictly controlled. Let’s take a look at the fine print to see where exactly your data is going and what you can do to protect yourself.

The fine print that no one reads

Julia Zhen, third-party information security risk manager at a large nonprofit, says: “If you want to know what information is collected and/or stored (which are two separate acts), start with the privacy policy of the app itself.” On top of that, third parties like Google’s app store have their own terms of service, creating multiple data collection points to investigate.

Zhen recommends a shortcut: look for keywords like “sell” or “share” in privacy policies to quickly understand what’s happening to your data. “Most of the time, companies de-identify individuals from their data because they want to aggregate information and appeal to certain demographics,” she explains. This aggregation might still raise ethical issues, but according to Zhen, it is standard practice in the industry these days.

Using this strategy, Zhen says she has encountered privacy policies that openly admit to selling user data. And even when companies claim to anonymize information, the protection is not foolproof. Jacob Kalvo, cybersecurity expert and CEO of Live Proxies, says there are always long-term re-identification risks. Because even a giant like Apple can’t protect your data once you choose to share it beyond their ecosystem. Jake Peterson, senior technology editor at Lifehacker, says: “Apple has good privacy policies in place to keep your health data private, but if you choose to share it with outside sources, you will lose that control. » In other words, if you share medical data directly with a healthcare provider through the Health app and later delete it, Apple will no longer retain it, but you may not have control over the data your healthcare provider collects.

How to protect yourself in the age of digital health

Even if you trust a company’s privacy policy today, there’s another threat lurking: cybersecurity breaches. “The real risk we accept every day is hackers and cyberattacks,” says Zhen.

Hackers are sophisticated, and you can count on them to stay ahead of security developments. Even if companies don’t intentionally sell your data, they may be careless. Most privacy policies acknowledge that they are trying to protect against attacks, but violations are endemic in the technology sector. Your carefully guarded health information could be stolen and sold on the dark web, regardless of a company’s good intentions. Once your data is disclosed, it may be used outside of your control without any recourse.

When asked about period tracking apps in the current political climate, Zhen says these service providers “may be targeted by cyberattacks more often due to restrictive reproductive laws.” This is important to keep in mind across all platforms: what information are you willing to risk?

However, this does not necessarily mean abandoning health technologies completely. Experts agree on several protective measures:

• Read the damn privacy policy. Zhen’s advice is to go directly to the privacy policy for each data collection point and search for keywords like “sell” and “share.” Most policies include information about data retention and a contact email where you can request details of the information they hold on you.

• Understand what you are giving up. Before downloading an app, understand exactly what data it collects and why. When in doubt, assume the worst about every privacy policy.

• Practice good data hygiene. As a general rule, avoid giving out your cell phone number. Use alias email addresses that you don’t use elsewhere. Enable a VPN to hide your identity and location. Enable multi-factor authentication everywhere.

• Don’t overshare. Don’t give more information than you need for your purposes. Does the company need to know your exact date of birth, or just a year? Do they need to know where you live? Otherwise, don’t provide information or be afraid to lie when you can.

• Please remember that privacy policies do not constitute binding contracts. Companies generally reserve the right to change their terms at any time.

The essentials

The reality is that most people accept all sorts of risks related to data collection on a daily basis, because modern life demands it. My goal here is not to sow fear, but to help make informed choices in what is ultimately a calculated gamble.

If you’re the type of person who posts on social media, downloads apps to order takeout, and accepts the risk because it comes with the convenience of modern technology standards, then “downloading a reputable health measurement app will usually be fine, as long as the privacy policy doesn’t directly state that they’re selling your data,” Zhen says.

Then again, I would argue that your health data is more intimate, more permanent, and potentially more damaging than your food delivery history. In my opinion, we are conducting a massive, uncontrolled experiment in health surveillance, and we are all the test subjects. Technology offers real benefits: better health outcomes, earlier disease detection and personalized medicine. But we trade something valuable and poorly understood for these benefits: privacy, autonomy, and control over our most intimate information.

The question is not whether to use health technologies. For many people, the benefits are too great to ignore. The question is whether we make this choice with full awareness of what we are giving up and whether the companies that collect our data can be held accountable, if and when a judgment is made.