At a glance.
- Trading health data for profit.
- Give your valentine a nice cup of tea instead.
Trading health data for profit.
Health data has become a hot commodity among data brokers, and a recent report by Duke University’s Sanford School of Public Policy illustrates how the market for individuals’ medical information flourishes. Researcher Joanne Kim reports that a simple request for health data led her to eleven companies willing to sell bundles of medical data that included sensitive details like what antidepressants people were taking, whether they struggled with insomnia, and details about medical issues like bladder-control difficulties. Some brokers included personally identifiable data complete with names, addresses, and even incomes attached. Justin Sherman, a senior fellow at Duke who headed the research team, says, “Health data is some of the most sensitive data out there, and most of us have no idea how much of it is out there for sale, often for just a couple hundred dollars.” As the Washington Post explains, the sale of health data falls into a legal gray area; the Health Insurance Portability and Accountability Act (HIPAA) restricts how covered health entities share Americans’ health data, but the law doesn’t protect that info if it’s shared with other entities like web platforms. Online pharmacies, therapy apps, and telehealth services have made the digitization of American health data commonplace, and the trading of this data has gone largely unregulated. However, there have been signs of government intervention as of late. Earlier this month the Federal Trade Commission negotiated a $1.5 million civil penalty from the online prescription-drug service GoodRx, which was found collecting data on users who had purchased certain medications for use in targeted marketing campaigns. An FTC spokesperson stated, “digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information.”
Give your valentine a nice cup of tea instead.
Pepsi Bottling Ventures LLC, America’s largest bottler of Pepsi-Cola beverages, experienced a data breach caused by a December network intrusion. The attackers installed information-stealing malware and extracted data including full names, home addresses, financial account information, ID card and driver’s license numbers, and Social Security numbers. The impacted individuals are being notified, but Bleeping Computer notes that it’s unclear at this time exactly how many people were affected and whether they were customers or employees. According to a sample security incident notice filed with Montana's Attorney General office, the incident occurred on December 23, 2022, but wasn’t discovered until eighteen days later, and it took another nine days to completely shut out the intruders. All impacted systems have been suspended from the company’s regular operations while an investigation continues. In the meantime, Pepsi has implemented additional network security measures and reset all company passwords.