HealthTech Data Brokers: The Leak That Wasn't a Breach

The HIPAA loophole, summarised US health privacy law (HIPAA) covers "covered entities" — hospitals, insurers, clinical providers. It does not cover the wellness app that helps you track your period, the SSRI-symptom journal, or the fertility chatbot that ingested your most intimate questions. That gap created a multi-billion-dollar parallel market. The 2023 GoodRx and BetterHelp settlements made the playbook explicit. The 2026 wave showed it never really stopped. The pattern that keeps repeating FTC GoodRx (Feb 2023) — first enforcement under the Health Breach Notification Rule, for sharing prescription data with Meta and Google. The FTC press release lays out the exact data flows. FTC BetterHelp (March 2023) — barred the company from sharing mental-health intake data with advertisers, with a $7.8M consumer refund. Same playbook, different vertical. Mozilla Privacy Not Included reproductive-health reviews — ongoing audits show most period and fertility apps still share cycle data with third parties despite post-Dobbs scrutiny. These are the cases the regulators have already proven on the record. The 2026 wave of activity is built on top of this same Health Breach Notification Rule framework. What's actually in the broker file A typical "health-adjacent" broker dossier in 2026 includes: App-derived symptom flags (anxiety, sleep, GI, fertility intent) Search-derived inference (e.g. "diabetes interest") Pharmacy loyalty signals (linked through hashed-email matching) Wearable-derived heart-rate variability and step trends Location overlays of clinic visits Each individual signal is "anonymous." Re-identification is trivial when you cross-reference 4 of them. How to shrink your file Stop using period and fertility apps that aren't local-first. A short list of audited local-first options exists; Mozilla maintains one. Use a separate email for any health-adjacent service. Aliases (one per service) make later opt-out trivial. File a CCPA/state-equivalent deletion request with the major health-data brokers (LiveRamp, Acxiom, Experian Health). Reuters keeps a current list. Pay attention to wearable cloud sync. Local mode + manual export is almost always available; vendors hide it. Health data was supposed to be the most protected category. It became the most freely traded. The fix is largely regulatory — and it is finally moving.