Who Is Selling Your Health Data and How to Stop Them

A Multi-Billion Dollar Market Built on Your Medical History

Every prescription you fill, every diagnostic code assigned at a clinic visit, every fitness metric logged on a wearable device feeds a commercial data ecosystem worth an estimated $45 billion annually. The global health data market is projected to exceed $70 billion by 2027, according to analysis from Grand View Research. What most patients do not know is that they are simultaneously the product being sold and the consumer bearing the downstream costs of that sale in the form of higher insurance premiums, targeted pharmaceutical advertising, and opaque risk scoring that can affect employment and credit.

The architecture of this market is deliberately fragmented to avoid regulatory scrutiny. Hospitals sell de-identified encounter data to health information exchanges and analytics firms. Pharmacy benefit managers package prescription histories into longitudinal patient profiles. Insurers monetise claims data through subsidiary analytics divisions. Data brokers then acquire these streams from multiple sources, re-combine them, and sell enriched profiles to pharmaceutical manufacturers, actuarial firms, and marketers. The patient whose cancer diagnosis, antidepressant prescription, and gym check-in frequency flow through this pipeline typically has no visibility into any of these transactions.

Understanding who legally owns your medical records is the first step toward understanding why this market is so difficult to disrupt. The short answer is that healthcare providers own the physical or digital record, while you retain rights to the information it contains. That distinction creates a legal gap that data buyers have exploited for decades.

The Major Sellers: From Hospital Systems to Health Apps

IQVIA, formed by the 2016 merger of IMS Health and Quintiles, is the dominant player in the prescription data market. The company processes data on more than 85 percent of all prescriptions written in the United States, sourced through agreements with pharmacy chains, pharmacy benefit managers, and electronic health record vendors. IQVIA's Orchestrated Customer Engagement platform sells this data to pharmaceutical sales teams, enabling drug representatives to know precisely which physicians prescribe which medications and in what volumes. In 2023, IQVIA reported $14.98 billion in revenue, with a substantial portion derived from its technology and analytics segment built on this data.

Pharmacy benefit managers, including CVS Caremark, Express Scripts (owned by Cigna), and OptumRx (owned by UnitedHealth Group), sit at the intersection of pharmaceutical pricing and patient data. As the entities that process prescription drug claims for insurance plans, they accumulate longitudinal medication histories for hundreds of millions of patients. These parent companies operate analytics subsidiaries that monetise this data in ways that are disclosed to patients through dense plan documentation that most people never read. OptumInsight, UnitedHealth Group's data and analytics arm, alone generated $4.1 billion in revenue in 2022.

Consumer health applications represent the fastest growing and least regulated segment of the market. Research published in the BMJ in 2019 found that 79 percent of the 24 top-ranked free medical apps on the Google Play Store shared user data with third parties. A 2021 study in JAMA Network Open examined 36 popular mental health apps and found that only 4 provided a privacy policy comprehensive enough to understand what data was collected. Period tracking apps including Flo Health, which reached a $1 billion valuation, settled with the Federal Trade Commission in 2021 after sharing user menstrual cycle data with Facebook and Google despite promising not to do so. The implications of this kind of disclosure became acutely apparent following the 2022 Dobbs v. Jackson Women's Health Organization Supreme Court decision, which prompted renewed scrutiny of how reproductive health data collected by apps could be subpoenaed in states that criminalised abortion.

What Buyers Do With Your Data: Advertising, Underwriting, and Discrimination

Pharmaceutical advertising is the most visible downstream use of health data. The United States is one of only two countries in the world that permits direct-to-consumer pharmaceutical advertising, and the targeting precision enabled by prescription data has transformed the industry. When a television network serves you an advertisement for a diabetes medication immediately after you searched for blood sugar monitoring supplies, this is not a coincidence. It reflects a data ecosystem in which digital advertising platforms, working with data brokers that have licensed health-adjacent signals, can infer health conditions from consumer behaviour and serve condition-specific advertising.

Insurance underwriting presents more serious risks. Although the Affordable Care Act prohibits health insurers from using medical history to set premiums in the individual and small-group markets, no such prohibition exists for life insurance, disability insurance, or long-term care insurance. A ProPublica investigation published in 2018 documented how life insurers were purchasing data from LexisNexis and Milliman IntelliScript, a prescription database, to identify applicants with undisclosed medical conditions. Applicants were denied coverage or quoted unaffordable premiums based on prescription histories they did not know insurers could access. The practice is legal under current federal law.

Employers represent a third category of buyers. Self-insured employers, which account for approximately 65 percent of covered workers in the United States, retain third-party administrators who process employee health claims. This creates an inherent conflict of interest: the employer paying claims has access to employees' medical information. Although HIPAA's employment provisions restrict how this information can be used for personnel decisions, the restrictions apply to covered entities, not necessarily to the analytics firms processing the data on the employer's behalf. A 2015 RAND Corporation study found that employee wellness programme data, including biometric screening results, was routinely accessible to HR departments.

The ongoing health data breach epidemic compounds these risks. Data purchased through ostensibly legitimate commercial channels can be combined with data exposed through breaches to reconstruct highly granular patient profiles. Once data leaves a covered entity through a lawful de-identification and sale process, it enters a commercial chain where the original HIPAA protections no longer apply.

The Legal Framework: Where HIPAA Ends and the Gap Begins

The Health Insurance Portability and Accountability Act of 1996 was designed to enable the electronic exchange of health information, not to serve as a comprehensive patient privacy law. Its Privacy Rule governs covered entities, which are defined as health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. Critically, HIPAA does not regulate the sale of de-identified data. The Safe Harbor method for de-identification requires the removal of 18 specific identifiers, including names, geographic information smaller than a state, and dates more specific than year. The Expert Determination method allows a statistician to certify that re-identification risk is very small, a standard critics argue is insufficiently rigorous given modern computational capabilities.

Research published in Science in 2019 demonstrated that 99.98 percent of Americans could be correctly re-identified in any anonymised dataset using just 15 demographic attributes. A 2013 study by Harvard professor Latanya Sweeney found that 87 percent of the U.S. population could be uniquely identified using only ZIP code, birthdate, and sex. These findings suggest that the legal architecture of de-identification provides substantially weaker protection than HIPAA's drafters intended, particularly as data from multiple commercial sources is combined. Understanding what HIPAA actually guarantees patients is essential to understanding why the current framework leaves so many commercial health data uses outside its scope.

The regulatory gap for non-covered entities is even wider. Fitness trackers, mental health apps, fertility apps, genetic testing services, and sleep monitors are not HIPAA-covered entities. Their data practices are governed primarily by their own privacy policies and the Federal Trade Commission Act, which prohibits deceptive trade practices but does not impose affirmative data minimisation or consent requirements. The FTC's 2021 enforcement action against Flo Health was the agency's most significant health app privacy action to date, but the resulting consent order did not include monetary penalties and did not require the deletion of previously shared data.

State Laws, Emerging Federal Proposals, and the Path to Systemic Reform

In the absence of comprehensive federal health data privacy legislation, states have moved to fill the gap with varying degrees of ambition. California's Consumer Privacy Act, strengthened by the California Privacy Rights Act of 2020, gives residents the right to know what personal information businesses collect about them, the right to request deletion, and the right to opt out of the sale of their personal information. The California Attorney General's office has taken enforcement actions against several companies under these provisions. Colorado's Privacy Act and Virginia's Consumer Data Protection Act contain similar provisions. Washington state enacted the My Health, My Data Act in 2023, which extends privacy protections to health data collected by entities not covered by HIPAA and creates a private right of action, allowing individuals to sue companies for violations.

At the federal level, the Health Data Use and Privacy Commission Act has been introduced as a framework for establishing a national standard that would extend privacy protections to non-covered entities and create stronger de-identification requirements. The American Data Privacy and Protection Act, the most recent comprehensive federal privacy bill to advance in Congress, included health data provisions but stalled in 2022 over preemption disputes with California. The Federal Trade Commission under Chair Lina Khan signalled a more aggressive posture toward health data misuse, publishing a policy statement in 2022 affirming that the agency would use its Section 5 authority to address health data practices that harm consumers, even outside the HIPAA framework.

Emerging technologies offer both new risks and new tools for patients. Blockchain-based systems and decentralised data architectures propose to give patients cryptographic control over who accesses their health data and under what conditions. The premise underlying these approaches is that patients should be able to grant and revoke access to specific data fields for specific purposes. Exploring how decentralised health data systems could shift control back to patients illustrates why the technical architecture of health data storage matters as much as the legal framework governing its use.

What Patients Can Do Now: Practical Steps to Limit Data Exposure

Despite the breadth of the commercial health data market, patients have actionable options to reduce their exposure. The first step is exercising HIPAA rights that most patients do not know exist. Under the Privacy Rule, you have the right to request restrictions on disclosures of your protected health information. While providers are not obligated to agree to all restrictions, they must comply with a request to restrict disclosure to a health plan for payment or healthcare operations when you pay out of pocket in full. You also have the right to an accounting of disclosures, which lists the entities to whom your provider has disclosed your information in the preceding six years. Requesting this accounting, available free of charge once per 12-month period, can reveal data sharing arrangements that are not obvious from a provider's standard privacy notice.

For prescription data specifically, patients can opt out of the sharing of their prescribing information through the National Opt-Out Programme operated by the American Medical Association. This programme allows patients to request that their prescription data not be associated with their physician for pharmaceutical marketing purposes. While this does not stop the sale of de-identified data, it removes the physician-patient linkage that makes the data most commercially valuable to pharmaceutical sales targeting.

Consumer health applications warrant the most scepticism. Before installing any health app, review its privacy policy specifically for clauses about data sharing with third parties, advertising networks, and business partners. Look for explicit statements about whether the app shares data with data brokers or analytics platforms. Audit the permissions requested by installed health apps and revoke access to contacts, location, and device identifiers where they are not clearly necessary for the app's core function. California, Colorado, Virginia, and Washington state residents can submit data deletion and opt-out-of-sale requests to data brokers under applicable state law. Services including Privacy Bee and DeleteMe automate this process across hundreds of data brokers, though they come with subscription costs.

For patients managing chronic conditions or sensitive health matters, the choice of where to receive care and which technologies to use carries real privacy consequences. Telehealth platforms, mental health apps, and genetic testing services operate under substantially weaker legal protections than traditional healthcare providers. Understanding which entities are HIPAA-covered and which are not before sharing sensitive health information is a practical harm-reduction measure available to every patient today, while the legislative and regulatory frameworks needed to protect everyone continue their slow development.