Full Report
A new EPIC report says data brokers, ad-tech surveillance, and ICE enforcement are among the factors leading to a “health privacy crisis” that is eroding trust and deterring people from seeking care.
Analysis Summary
# Main Topic
A "health privacy crisis" driven by data brokers, ad-tech surveillance, and direct enforcement actions by Immigration and Customs Enforcement (ICE), which is eroding public trust and actively deterring individuals from seeking necessary medical care.
## Key Points
- The crisis stems from outdated privacy laws and the proliferation of digital systems enabling health-related information to be tracked, analyzed, and accessed by commercial entities and government agencies.
- Health data routinely escapes medical settings and is repurposed for surveillance and enforcement, leading to delayed treatment and worsening health outcomes.
- The unregulated market for selling, aggregating, and reselling personal health information by data brokers is identified as a central driver.
- Data collected outside traditional healthcare settings (apps, websites, location tracking, online searches) is being used for advertising, insurance risk scoring, or government surveillance without patient knowledge.
- Large technology companies are central actors, embedding surveillance tools across health, advertising, and data brokerage ecosystems.
- Concerns were specifically raised regarding ICE agents occupying hospital areas (ERs, waiting rooms) and potentially impeding treatment or eavesdropping on patient-clinician conversations.
## Threat Actors
- **Data Brokers:** Commercial entities engaged in trafficking and reselling personal health information.
- **Ad-Tech Ecosystems (e.g., Google's ad-tech platform):** Entities that utilize or circulate sensitive health data segments for advertising purposes.
- **Immigration and Customs Enforcement (ICE):** Government agency actively interfacing with healthcare settings for enforcement actions, contributing to patient deterrence.
- **Hospitals/Healthcare Providers:** Entities implicated through the use of tracking tools (like Meta Pixel) on their websites, potentially violating existing privacy standards.
## TTPs
- **Data Harvesting and Resale:** Data brokers illegally aggregating and reselling identifiable health information (diagnoses, treatments, medication details, facility visits).
- **Ad Targeting with Sensitive Data:** Using third-party brokers to target consumers based on sensitive health indicators (e.g., chronic illness) despite platform rules against it.
- **Website Tracking:** Implementing third-party tracking tools (e.g., Meta Pixel) on hospital websites which transmit sensitive information like search terms (e.g., "pregnancy termination") and appointment details alongside IP addresses.
- **Physical Surveillance/Intrusion:** ICE agents entering and occupying emergency rooms, waiting rooms, and lobbies, allegedly listening to clinician-patient conversations and blocking treatment.
## Affected Systems
- **Data Broker Ecosystems:** The system through which health data is bought, aggregated, and resold.
- **Ad-Tech Platforms:** Specifically noted is the use of Google’s advertising ecosystem for improper health targeting.
- **Hospital/Clinic Websites:** Websites using tools like the Meta Pixel for tracking patient behavior during scheduling or research.
- **Healthcare Delivery Environment:** Physical spaces such as Emergency Rooms and hospital lobbies subject to governmental enforcement presence.
## Mitigations
- **Regulatory Reform:** The report suggests addressing the crisis requires federal data privacy legislation to govern data handling beyond HIPAA scope.
- **Data Minimization/Control:** Limiting the ability of health data to be harvested, sold, and used outside of patient control.
- **Enforcement Oversight:** Stronger limitations on government agency (ICE) intrusion into protected medical settings.
- **Internal Audits:** Healthcare providers should review third-party tracking embedded on their digital properties (websites/portals) to ensure compliance and prevent unauthorized data disclosure (e.g., checking for Meta Pixel usage).
## Conclusion
The health privacy crisis is multi-faceted, involving sophisticated commercial data exploitation concurrently with direct governmental presence in medical facilities. The primary threat assessment is that fear of exposure (whether through data sales or law enforcement interaction) is causing individuals to avoid necessary care, leading to negative public health outcomes. Immediate actions should focus on scrutinizing third-party data sharing practices by healthcare entities and advocating for strengthened federal privacy legislation to close gaps exploited by data brokers and ad-tech surveillance.