Your private health information may be less private than you think, especially since there's a definite market for it if the price is right. A group of researchers just showed how easy it is for others to obtain your information.

The study used step count information, the kind you can collect using your activity tracker or smartphone. Some device manufacturers and social networks share de-identified physical activity data with employers, advertisers and health care organizations, claiming that this poses no privacy risk. You may feel the same way.

One fitness app “…has unwittingly revealed the locations and habits of military bases and personnel, including those of American forces in Iraq and Syria…”

Anil Aswani, an assistant professor in Industrial Engineering and Operations Research at the University of California at Berkeley, led the study and strongly believes that keeping your step count private should matter to you. “There are companies buying health data. It's supposed to be anonymous data, but their whole business model is to find a way to attach names to this data and sell it,” Aswani said, in a statement.

Your step count is health information. Admittedly, it is not as personal as a medical record, but the process that can attach a name to this seemingly unimportant and anonymous information can also do so to other more sensitive, supposedly anonymous health information. All it takes is the right computer software.

One potential spot for mischief would be a wellness program at work designed to help employees lose weight. Employees who participate get a discount on their health insurance. The health organization and sometimes the employer get health information — information that can be quite extensive and sensitive.

Technology Outpaces Privacy

This matters because, “As advances in AI [artificial intelligence] make it easier for companies to gain access to health data, the temptation for companies to use it in illegal or unethical ways will increase,” Aswani explains. “Employers, mortgage lenders, credit card companies and others could potentially use AI to discriminate based on pregnancy or disability status, for instance.”

One fitness app “…has unwittingly revealed the locations and habits of military bases and personnel, including those of American forces in Iraq and Syria,” according to an article in the New York Times. Imagine what your workout data could reveal about you.

Most sites will tell you that they will keep your information private. Despite their good intentions, they may be powerless to protect your identity when faced by entities armed with superior technology.

HIPAA, the 1996 Health Insurance Portability and Accountability Act, was implemented to make sure that your health information stayed private. But a lot has changed since 1996; and, according to Aswani, HIPAA's protections are badly in need of updating. “HIPAA regulations make your health care private, but they don't cover as much as you think. Many groups, like tech companies, are not covered by HIPAA, and only very specific pieces of information are not allowed to be shared by current HIPAA rules.”

Not only are HIPAA's protections inadequate, efforts are being made to weaken them, as happened last year with net neutrality rules. Aswani explains, “For instance, the rule-making group for HIPAA has requested comments on increasing data sharing. The risk is that if people are not aware of what's happening, the rules we have will be weakened. And the fact is the risks of us losing control of our privacy when it comes to health care are actually increasing and not decreasing.”

And there's a larger issue here. Most organizations will tell you that they keep your information private. Despite their good intentions, they are likely to be powerless to protect your identity when faced by entities that want that information badly enough and are armed with superior technology.

For more details, see the study article, published in the open access journal JAMA Open.