Last week, the Minnesota Department of Human Services notified nearly 304,000 people of a data breach involving a healthcare provider who accessed information inappropriately from a vendor-managed IT system. Meanwhile, in 2025 there was, on average, a breach of more than 125,000 individuals’ health records every single day – accounting only for HHS reported incidents.
However, these incidents barely scratch the surface of the privacy crisis in healthcare. In this post, we’ll explore how existing privacy laws in the US fail to adequately protect individuals’ sensitive health information, and the steps responsible businesses should take to ensure the security and confidentiality necessary to protect individuals’ health outcomes and personal welfare.
The importance of health data privacy
Privacy and confidentiality are essential to effective healthcare and improved health outcomes. Privacy and confidentiality underpin the trust required between individuals and their care providers, that is crucial to full disclosure of health concerns.
Where this breaks down and trust is broken, individuals are less likely to feel safe disclosing certain information – even in a healthcare setting – negatively impacting the ability of providers to accurately assess patients and diagnose conditions. As a result, treatment may be compromised leading to poorer overall health and wellbeing. For some groups, certain types of information can leave them exposed to abuse or criminalization – for example, those seeking abortion, undocumented individuals or non-hetero people.
Adequate privacy protections can improve health equity, access and overall wellbeing. A lack of them however, disproportionally and negatively affects marginalized communities who already experience lower quality healthcare and worse health outcomes, according to a recent report from the Electronic Privacy Information Center (EPIC).
The growing market for health information
The digitalization and commercialization of health information has far exceeded the original scope of federal laws designed to protect it. In the US, HIPAA was enacted in the late 1990s to protect digital sharing of traditional medical records. Meanwhile, HITECH, enacted in 2009, encouraged further transition to electronic health records (EHRs). The updated legislation brought in additional breach notification requirements and expanded coverage to include business associates of healthcare providers.
However, the last decade has seen a vast expansion of commercial products and services collecting, processing and selling protected health information (PHI). For example: genetic testing/ancestry companies; and wearables, apps and smartphones that collect individuals‘ health, activity and biometric data. These expanded use cases are typically outside the scope of existing healthcare legislation, such as HIPAA and HITECH, and lack the protections they offer.
What happens when privacy protections fall short
Beyond the harms wrought by a lack of patient trust in healthcare providers, the lack of protection for sensitive health information outside the scope of current legislation is far-reaching.
As consumer users of apps, smartphones and wearables, we provide access to vast amounts of personal and biometric information to organizations, many of whom engage through data brokers and other profiling agencies. In general, this data is aggregated into very detailed user profiles that – even excluding specific health information – can provide insight to an individual’s personal health status.
Specifically relating to medical data, these aggregated profiles can be used by organizations for surveillance pricing - where prices offered to individuals varies based on their profile, including for medical devices and supplies.
Outside healthcare settings, the ramifications of sensitive disclosures can be even more impactful. From marginalized groups and underserved communities to victims of data breaches, exposure of this data can result in both physical and emotional harms.
Data brokers and the companies that profile us (especially for the purpose of targeted advertising) exploit our health data to manipulate us into buying more—and more expensive—products and to charge us more for care.
Hidden tracking is also routine across the web, beyond the reach of HIPAA and other tracking technology controls. In 2022, more than a third of the top 100 US hospitals were found using the Meta Pixel tracking pixel - which aren’t blocked even when cookies are – transferring patient data to Facebook for the purposes of targeted advertising.
The limited scope of legislation like HIPAA and HITECH fails to protect the privacy of sensitive biological data and health information when it is shared through web services such as online genetic testing, blood testing facilities and menstrual tracking apps. Following the bankruptcy of 23andme, the lack of legislative protection became starkly apparent.
As with many organizations processing this kind of data, the only protection individuals have are contained within company privacy policies and service terms and conditions - that the company reserves the right to change at any time.
Beyond HIPAA: Steps for responsible data management
Without centralized regulation, it is an organization’s responsibility to ensure they are adequately protecting the security, confidentiality and privacy of consumer health information – regardless of HIPAA covered-entity status.
State-level privacy laws provide variable protection and demand a range of requirements from organizations, but all cover health information within the scope of personal information and, for some data types, sensitive personal information subject to more stringent controls.
Responsible business practices are essential to patient care, health equity and accessibility, and most of all protecting individuals’ long-term health outcomes.
These practices must include:
-
Data minimization – that limits the collection, processing, and retention of personal information to only that necessary for the provision of requested services.
-
Data segmentation – that separates some categories of data away from the rest of a patient record, limiting access where it may be harmful against an individual if it were shared.
-
Treat inferred data as protected information – Health-related inferences should be protected as PHI, and includes data that is extrapolated from non-health information including that generated by AI/ML models. Identifying this information relies heavily on associated contextual references, but nevertheless provides relevant health data about an individual.
-
Privacy-first AI models – training data for most public and many private AI models contains personally identifying information such as names, phone numbers, addresses, photos, location data and health information, With the right prompts, these models are vulnerable to ‘leakage’ of this underlying training data, resulting in its unauthorized disclosure.
Foundational to these practices is a clear understanding of what health-related information is captured and stored
Ultimately, confronting today’s healthcare privacy crisis starts with a far more fundamental question:
Do you actually know what data you hold?
For both HIPAA‑regulated entities and the many organizations operating outside its scope, meaningful privacy protection is impossible without a clear, continuously updated understanding of where sensitive health information lives and how it flows.
Robust data discovery and classification – delivered by Ground Labs’ Enterprise Recon – provide the foundation for minimizing unnecessary data, segmenting and safeguarding high‑risk information, cleansing unnecessary and obsolete data, and ensuring AI models are trained on responsibly governed datasets.
From this base of accurate, actionable insight, organizations can not only reduce breach risk and comply with complex regulations, they can restore trust, strengthen health equity and ensure the safety of every individual whose PHI data they touch.
To find out how Ground Labs can help your organization, request a demo or book a call with one of our experts today.