HIPAA Is Dead. Long Live the Data Brokers.
Data Brokers Have Outsmarted HIPAA—and Your Health Plan Is Paying for It
Let’s stop pretending.
HIPAA—the supposed guardian of medical privacy—isn’t protecting anything that matters anymore. Not your employees’ health data. Not your plan’s underwriting integrity. And certainly not your stop-loss renewal.
In fact, the law’s outdated definitions and narrow scope have created a gaping hole—one that data brokers, app developers, retail pharmacies, and even your stop-loss underwriter are sprinting through with glee.
And the worst part? This data dragnet isn’t just creepy—it’s making your health plan more expensive, less accurate, and more vulnerable to being rated and lasered based on guesswork.
The Lie We Tell Ourselves About HIPAA
We’ve been trained to think HIPAA is a magic shield. That as long as we keep names off spreadsheets and PHI out of email, we’re protected. That your employees’ conditions and drug regimens are locked behind firewalls unless they sign a release.
That’s adorable.
In reality, HIPAA only governs data that originates from or is transmitted between “covered entities”—your providers, health plans, or certain business associates. The second that same data leaks out through a coupon app, a pharmacy loyalty program, or a wellness platform?
It’s no longer protected. And it’s for sale.
How the Data Really Gets Out
Here’s how your employees’ most sensitive health information ends up in the hands of data brokers—and ultimately back to the people setting your premiums:
1. Discount Drug Apps
Your employee downloads a coupon app like GoodRx to save $80 on Skyrizi. The coupon works. What they don’t realize is they’ve just:
Linked their name and date of birth to a high-cost biologic
Confirmed their pharmacy location
Shared their IP address, email, and device ID
All of this is packaged up and sold to brokers who link that data to massive consumer identity graphs. This becomes a persistent health “fingerprint” tied to that person indefinitely.
2. Pharmacy Loyalty Programs
CVS and Walgreens collect full prescription histories through rewards accounts. While they can’t sell that data under HIPAA when it’s tied to your insurance, they can when it’s tied to a retail account—and they do.
Even without a name, when combined with ZIP, age, and fill data, that information is trivially easy to re-identify. And re-identified it is.
3. Health Apps and Wellness Tools
Think fertility trackers, symptom checkers, period apps, or diet logs. These platforms are almost never HIPAA-covered. But they often collect intimate health details—and sell them.
And yes, some of these apps have been caught piping that data to Facebook and Google for ad targeting. It’s all perfectly legal under current rules.
4. Public Records and Consumer Overlays
Even if health data is “de-identified,” brokers enrich it with voter files, real estate records, online behavior, and purchasing habits to reconstruct individual profiles.
If a 59-year-old male in 95819 filled Humira and lives at the only house on Elm Street with that profile… guess what? It’s not “anonymous” anymore. It is probabilistically tied to John Doe.
Two Disturbing Real-World Examples
A. The GoodRx Facebook Data Leak
In 2023, the FTC fined GoodRx $1.5 million for secretly sharing users’ prescription histories with Facebook, Google, and others. This included data tied to medications like PrEP, HIV antivirals, and antidepressants. The information was captured using embedded tracking pixels in GoodRx’s website and app—quietly transmitting the user’s drug regimen the moment they clicked Get Coupon.
No user gave explicit consent. None were notified. And none of this violated HIPAA—because the app simply wasn’t covered.
B. Selling Disease Lists for Pennies
Consumer data brokers have been caught selling deeply sensitive lists—including rape victims, individuals with HIV/AIDS, seniors with dementia, and even domestic violence shelter addresses, which are supposed to be confidential by law. These lists often include names, home addresses, income levels, and other personal details, bundled and sold to marketers looking to target people based on medical conditions, vulnerabilities, or behavioral health issues. Also for sale: lists of people struggling with addiction and even law enforcement officers' home addresses. The existence of these lists isn’t a data breach—it’s business as usual in America’s unregulated health data marketplace.
Enter the Stop-Loss Carrier
Now let’s connect the dots.
You send over a member-level census to quote stop-loss coverage. That census includes names, DOBs, ZIP codes, and gender. All perfectly reasonable. All necessary for underwriting.
But when your PPO or HMO refuses to release the actual claims data, the carrier turns to its data vendors. These brokers match your census against their enriched files—built from the apps, coupons, and loyalty programs your members used.
And voilà:
Member 003 has ESRD. (He filled Epoetin Alfa and had a GFR test last fall.)
Member 018 is flagged for HIV. (She’s on Descovy and had a viral load test in Q2.)
Member 111 is a transplant patient. (Tacrolimus refill + N18.6 diagnosis code from an earlier lab partner.)
All inferred. All without claims.
And now, your plan gets rated like it has a ticking time bomb—regardless of whether the data is accurate.
This Isn’t Better Than Claims. It’s Worse.
This isn’t a clever workaround—it’s a liability.
Because when carriers don’t get actual claims data, they make underwriting decisions based on third-party guesses. Guesses built on incomplete, often outdated, and occasionally wrong data.
And if one of those guesses pegs a member with a $300,000 risk they don’t actually represent? Good luck undoing that laser. The quote is final. The data source is confidential. And the appeals process? Let’s just say it wasn’t built with employers in mind.
Instead of protecting privacy, HIPAA’s absurd patchwork:
Obstructs direct data sharing from plans to carriers
Pushes underwriters to rely on opaque, backdoor intel
Results in inaccurate pricing and unfair exclusions
No good deed goes unpunished.
HIPAA Was Built for a Fax Machine Era
Let’s not forget: HIPAA was passed in 1996. Pre-smartphone. Pre-WiFi. Pre-Amazon.
It was never designed to regulate apps, trackers, loyalty programs, or consumer data brokers. It doesn’t cover them. It doesn’t stop them. And it certainly doesn’t prevent your members’ health data from becoming part of a sellable identity package.
Today, it’s easier for a private equity fund or Wall Street-backed underwriter to buy insight into your employee’s health risks than it is for the employer to get a full claims file from a PPO.
That’s the world HIPAA created.
HIPAA Isn’t Just Useless—It’s Actively Hurting Us
This isn’t about paranoia or pixel tracking. This is about the law itself being outgunned and outdated.
As long as PPOs and HMOs can hide behind HIPAA to avoid releasing claims data, while shadow brokers quietly sell a shadow version of the truth to underwriters, employers will continue to be punished for someone else's backdoor surveillance.
HIPAA doesn’t protect your people.
It protects the system that profits off them.