So-called “data brokers” are selling Americans’ personal health information to marketers, according to a new report from the Senate Commerce Committee. During a Senate hearing on the issue on Wednesday, representatives from privacy groups warned that some companies have even collected lists of rape victims, people suffering from depression and dementia, and HIV-positive individuals.
“There are consumer list brokers that sell lists of individually identifiable consumers grouped by characteristics. To our knowledge, it is not practically possible for an individual to find out if he or she is on these lists,” Pam Dixon, the executive director of the World Privacy Forum, explained to the Senate committee in her testimony. “If a consumer learns that he or she is on a list, there is usually no way to get off the list.”
Dixon identified at least one data broker, Medbase200, that sells lists of rape victims and domestic violence victims. Another one, Equifax, tracks how often women visit their gynecologist. Other big companies track sensitive medical information like diagnoses of anxiety, depression, high blood pressure, and diabetes. In some cases, the lists revealed contact information that’s not allowed to be made public, like the addresses of domestic violence shelters and the homes of police officers.
“This is where lawmakers can work to remove unsafe, unfair, and overall just deplorable lists from circulation,” Dixon pointed out. “There is no good policy reason why unsafe or unfair lists should exist.”
Since this list-building typically falls outside of the privacy laws that prevent medical professionals from disclosing sensitive health information, there’s no current legal framework to prevent it. Health-related data mining has been increasingly concerning the Federal Trade Commission, which has called on data brokers to be more transparent about the type of information they’re collecting. The Senate first launched an investigation into this issue last year.
“Current federal law does not fully address the use of new technologies, despite the fact that social media, web tracking, and mobile devices allow for faster, cheaper and more detailed data collection and sharing among resellers and private-sector entities,” the Senate’s report concludes, calling for more oversight in this area.
The revelations at this week’s hearing are already having an impact on the data mining industry. After the Wall Street Journal contacted Medbase200 to ask about the data it collects on victims of sexual assault and domestic violence, the company removed the lists from its website. A spokesperson from Medbase200’s parent company told the Wall Street Journal that the company never intended to sell any list entitled “rape sufferers,” and it was simply part of a “hypothetical list of health conditions/ailments” used for an internal test.