As a graduate student in digital marketing, Rachel Cipriano, 46, knows just how much of her data is likely being collected online.
Consumers leave digital footprints with every online purchase, Google search, take-out order or streaming binge. Where we live, how much money we earn, and whether or how much we smoke, drink, exercise, eat, travel or experience mental health challenges may all be in the public domain — even if we don’t realize it.
“Any time you search anything on the web — and we all search personal things — that is being tracked by some algorithm,” said Sharona Hoffman, professor of law and bioethics and co-director of the Law-Medicine Center at the Case Western Reserve University School of Law.
Even conversations that we think are private can leave a trail of personal data. Microphones on phones, TVs and other internet-connected devices are always listening, according to Heather Mahalik, faculty fellow at the SANS Institute, a training organization for cybersecurity professionals.
“Do you ever notice how what you say to a friend in jest is then in your TikTok feed or you get an ad for something associated on Facebook or Instagram?” Mahalik said.
If advertisers can access so much personal information, what data are health insurers using and what are they using it for? Legal restrictions prevent health insurers from raising rates or denying coverage based on our data, but that doesn’t mean they aren’t finding creative ways to legally use our data to serve their own business interests.
The volume of consumer data in the public domain is growing exponentially, and companies are finding legal ways to mine and use it, according to Hoffman.
“There’s a lot of information available to insurers and they are understandably very motivated to have it,” she said.
Algorithms can identify which data points might predict future healthcare needs and costs. For example, people who belong to gyms or shop at health food stores are expected to be healthier and, in turn, to cost health insurers less to cover. Insurers can use those predictions to set higher or lower rates for an employer group, not an individual.
Allison Hoffman, professor of law at the University of Pennsylvania Law School and no relation to Sharona Hoffman, says insurers use this data to identify employers likely to have healthier employees.
“I think most of the efforts to cherry pick healthier people or to discourage the less healthy and more expensive ones have gone underground,” she said. “Insurers design plans to appeal to particular people or market in ways that attract some and discourage others.”
For example, insurers can set higher copayments on services that they expect sicker people would use and offer benefits, such as gym memberships or discounts on healthy foods, that might attract healthier, fitter people. Or, they might choose when and where to advertise to reach people likely to be healthier.
This data is increasingly easier for insurers to get because there are a growing number of data brokers who gather, organize and sell it to them. And this process of aggregating and selling consumer data is legal.
“There are people that argue it should be very regulated, but it’s not right now,” Sharona Hoffman said.
Data mining can be beneficial if it’s used to improve healthcare quality or measure treatment effectiveness, offer lower rates to healthier groups, or to help people manage their health.
“There has been a lot of effort to tailor care to individuals and to follow up to make sure people are complying with medical recommendations,” Allison Hoffman said.
But many consumers don’t want this type of “help” with their health at the expense of losing their sense of privacy.
Though many people’s biggest fear is that their health insurer or their employer might use their health or other personal data to raise their rates or deny services, that’s technically not allowed. Consumers are protected by several laws, including:
The Health Insurance Portability and Accountability Act (HIPAA) prohibits healthcare providers from sharing health information without your consent with anyone who isn’t involved in your care. The Affordable Care Act (ACA) prevents health insurers from using health data to charge individuals higher rates. The Americans with Disabilities Act (ADA) prevents discrimination against people with disabilities, which means employers can’t penalize employees if they find out that they have specific healthcare needs that would constitute a disability.
Despite these legal protections, there are limits to consumer privacy rights.
“Health information that a patient makes public on social media is not protected by HIPAA privacy laws in that context,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit agency focused on consumer privacy. “Insurance companies have denied claims in some cases based on data revealed on social media by the patient themselves.”
Employers can also use individual health data if they have employee consent.
Cipriano once worked for a company that required employees to get biometric screenings for indicators such as weight, blood pressure and blood sugar. If the employee didn’t score in the desired range — or if they refused to be screened — they’d automatically be charged higher health insurance rates.
Cipriano opted in to the screening but says it felt like an invasion of privacy.
Some amount of data exposure is inevitable given how dependent we all are on technology. Still, experts urge caution with personal data.
“Consumers should know that any data they reveal online might be discovered for health insurance or employment purposes in the future,” Allison Hoffman said. “Even more if the information they share is genetic, or might be, [because] they are exposing family members as well.”
Mahalik says consumers need to take data security into their own hands. She herself tracks the permissions she gives and says not all apps need to access your location, microphone or camera.
“Be aware when you install something and what is being asked of you. If it doesn’t make sense, don’t allow it,” Mahalik said. “Leverage private browsing, know how to clear your history and make sure you secure what is precious to you — your data!”
Dixon encourages people to keep health conversations off of social media. When making purchases, she says, use cash and avoid using loyalty cards.
Sharona Hoffman stays off Facebook and urges consumers to be careful what they post on social media. Sophisticated data miners can use almost anything you do or say online.
“When you have a choice about whether they can use your data for anything other than the particular purpose, say no,” Sharona Hoffman said. “When you have choices, make them carefully.”