This article is part of an ongoing series examining the implications of the cancellation of Roe v. Wade on the pharmaceutical industry.
Companies in the data brokerage industry have been accumulating and selling treasure troves of information on pregnant women for years. These adtech players, unsurprisingly, say they are on the right side of the law. But with the potential for health data abuse higher than ever in the wake of the Dobbs v. Jackson Women’s Health Organization, privacy experts say it may be time to rein in their most perversely patient-centric efforts.
Data aggregation is an industry made up of hundreds of smaller brokers. Among their products, many of them sell datasets on expectant parents, from their purchase history to the expected date of birth. These vendors craft product offerings that abortion rights activists warn are likely to be weaponized by states banning abortion.
The data has become a political issue, with various congressional Democrats trying to pressure brokers to curb the practice. Despite politicians’ wishes to question companies about their practices and the introduction of bills to exempt reproductive health data from what is allowed to be collected and sold, aggregators themselves are largely standing. .
“As far as I know, there is no law today prohibiting prenatal mailing lists,” said an executive at NextMark, an online directory that hosts data broker marketing mailing lists. says Politico. “If this were to change and this type of data became illegal, we would work with the providers to remove these listings.”
Politico found more than 30 list brokers, such as Exact Data and PK List Marketing, offering information about expectant parents or selling access to such people through mass emails.
On the legality of these practices, Eric Perakslis, scientific and digital director of the Duke Clinical Research Institute and professor at the Duke School of Medicine, said NextMark was on safe ground. “They’re not wrong about that,” he added.
Nor are aggregators and brokers solely responsible. Health data is usually sold to them from upstream sources, such as hospitals, tertiary care facilities, laboratories or MRI centers. These institutions obtain patient data on the basis of a commercial associate agreement, which does not prevent them from selling it under the Health Insurance Portability and Accountability Act. as long as it is anonymizednoted Perakslis.
“When you look at the provenance or the chain of custody of the data, an argument made by many aggregators is, ‘If this is so problematic, why are people selling this data to us?'” he explained. “Shouldn’t they sell it if that’s a problem? They’re the ones who collected it.”
Often, they don’t even buy health data per se, but rather infer pregnancy status through other means.
“A lot of these data brokers aren’t as sophisticated as you think they are,” said Mark Kapczynski, senior vice president of strategic partnerships for privacy firm OneRep. “The reality is they’re just hustling.”
That is, aggregators just want to pool data and sell it as fast as possible. “They don’t really care if it’s 100% accurate or not. It’s none of their business,” Kapczynski continued. “As long as they’re close enough, people will buy it. And that’s what they do.
They also don’t necessarily buy personal health information, which is regulated by HIPAA. Instead, they can secure demographic data from people-finder sites (think Spokeo, MyLife, Intelius, or Instant Checkmate) or make assumptions about pregnancy status based on marriage records available at audience.
Kapczynski explained how it works: “Each state tracks records of when someone is expected to be pregnant or the typical pregnancy rate in their state. If you look up a state, say New Mexico, it’s 2.3 years after marriage that a person gives birth. So now I don’t need to know if your wife is pregnant or not. I don’t need to check the facts. I just need to know when you’re getting married.
As a result, brokers can model when people “should be” pregnant, Kapczynski added. “So, actually, you don’t even have to be specific. You just need to be close.
Aggregators can also buy marketing data that identifies shopping habits and use it to infer pregnancy status. It played out in the now infamous “Target episode,” in which the retailer identified, by analyzing its own transaction records, that a teenage girl was pregnant, then began messaging her.
Data brokers, for their part, claim that what they provide is a “beneficial resource” for expectant mothers: they offer new parents discounts on basics like diapers and formula. But while this information may be useful to marketers, aggregating and triangulating many different data points about parents can have legal ramifications.
Consider the case where text messages and search histories were used by law enforcement to enforce abortion laws. Or one in which digital evidence was leveraged to secure a conviction for feticide against a woman for illegally inducing her own abortion.
The concern isn’t just that the data could be used by prosecutors in states where abortion is illegal to identify people who terminate their pregnancies. Prosecutors could subpoena data on pregnant women in the state and combine it with location data from another data broker to determine that a person crossed state lines to a clinic of abortion.
Some of the mailing list providers say they would not allow their lists to be used for campaigns for or against abortion rights. Perakslis rejects the idea that brokers retain absolute control over their own databases.
He pointed out “the mass of what is created and the amount of data that can end up on the dark web. You’re building something really big and it’s getting really appealing to state actors, compared to simple criminals. And the data is so untraceable that I don’t even know if these people would know it was hacked.
From a cyber risk perspective, aggregated consumer databases can just as easily be used by malicious actors as they can be used for good. Data aggregators “return no value for their data, but they create risks for people,” Perakslis observed. So, while not strictly illegal, the collection and trade of pregnancy data raises ethical concerns.
Lawmakers have been talking for years about adopting some form of data privacy regulation, and two recent proposals would specifically block the collection of health-related data. Senator Ron Wyden presented the Law My body, my data of 2022 limit the collection of reproductive health data. A bipartisan bill, US privacy and data protection lawwas removed from the committee on July 20. But the bills have little support from Democrats and “are not expected to gain broader support,” Politico reported.
Placer.ai, a location data company, once offered data visualizations showing where visitors to Planned Parenthood facilities live. But the company stopped providing data on abortion clinics after an article in Vice discovered its practices, just like the data broker SafeGraph. Data giant Experian did the same in 2016.
But these examples are not the norm, and other data brokers say they are not ready to change their practices on their own. In the meantime, privacy experts say data aggregators should think twice about the predatory practices their data might enable.
Perakslis stressed the need to consider the current context of information and culture wars. Just like COVID-19 triggered an infodemic false or misleading information, the Dobbs ruling allowed states to pass laws that threaten to go beyond the usual law enforcement to get people to comply with their anti-abortion agenda.
Possible harms of aggregated data include re-identification, which could lead to embarrassment, harassment, and lawsuits, as well as the selection of individuals and groups for further surveillance via stalkerware. Re-identification may also result in financial and reputational damage to individuals, communities, or geographic areas based on geotagged linked data.
“This issue of data weaponization is not the exclusive domain of one political party or another or one position or another,” Kapczynski said. “The polarization has become so great that regardless of your position on something, the person who opposes you now wants to use the data to their advantage.”
He noted that one of OneRep’s healthcare customers, a large hospital chain, signed with the company because employees were harassed by patients. “These staff members were being hunted down at home because, you know, ‘Don’t give so-and-so the vaccine,’ or ‘Give them the vaccine, why didn’t you give it to them?'”
Indeed, the abuse of intimate personal data can come from a practice that is not technically illegal.
“When we know from the start that there is a problem, the legality of something is not a good excuse not to act,” noted Perakslis. “There will always be unknowns in cybersecurity. Data aggregators don’t pay attention to known unknowns or even known unknowns of why damage might occur. »
Excerpt from the September 01, 2022 issue of MM+M – Medical Marketing and Media