Sensitive mental health data is for sale by little-known data brokers, sometimes for as little as a few hundred dollars and with little effort to hide personal information like names and addresses, according to research published Monday.

The research, conducted over two months at Duke University Sanford School of Public Policy, which studies the ecosystem of companies that buy and sell personal data, consisted of asking 37 data brokers for massive data on people’s mental health. Eleven of them agreed to sell information that identified people by problems, such as depression, anxiety and bipolar disorder, often categorizing them by demographic information such as age, race, credit score and location.

The researchers did not buy the data, but in many cases they received free samples to prove the broker was legitimate, a common industry practice. The study does not name the data brokers.

Some of the brokers were particularly arrogant about sensitive data. One did not require how the information it sold was used, announcing that it could provide names and addresses of people with «depression, bipolar disorder, anxiety problems, panic disorder, cancer, post-traumatic stress disorder, obsessive-compulsive disorder, and personality disorder.» «. , as well as people who have had strokes and data on their races and ethnicities,” the report found.

“[T]The industry seems to lack a set of best practices for handling people’s mental health data, particularly in the areas of privacy and background checks on buyers. found the report.

While prices for rented and sold mental health records varied widely, some companies offered them for as low as $275 for information on 5,000 people.

The use of apps that offer counseling and other mental health services was already on the rise before the covid pandemic broke out. In April 2020, the Food and Drug Administration relieved its recommendations against unvetted mental health apps, given the combination of people’s stress from the pandemic and the push for remote healthcare.

Dealing with the buying, repackaging, and selling of people’s identifying information and details about them, data brokers have become a thriving but bleak industry. Companies in the industry are rarely household names and often say little publicly about their business practices.

So far, Congress has failed to pass significant legislation on the industry, which spends millions in lobbying.

Unlike some countries, the United States does not have a general privacy law that protects most people’s private and personal information from being bought or sold. Some medical information can be protected by laws such as the Health Insurance Portability and Accountability Act, commonly known as HIPAA. But HIPAA applies only when that information is held by a specific «covered entity,» such as a hospital or certain type of health care organization.

Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy who leads its data brokerage project and oversaw the report, said other entities that store health data, including most phone apps, are not regulated through of HIPAA, which leaves data brokers with a number of options to legally purchase such data.

“People assume that HIPAA covers all kinds of health data everywhere. And that is not true,” she said.

“There are many, many places this data could have come from, because many entities are not covered by the HIPAA health data sharing restrictions,” Sherman said.

While the report doesn’t delve into how runners acquired that mental health information in the first place, a Consumer Reports report investigation in 2021 it discovered that some popular mental health apps were selling user data to advertising companies, including Facebook. Facebook did not respond to a question for comment, but told Consumer Reports it had no agreements restricting those mental health companies’ use of user data.

Pam Dixon, executive director of the World Privacy Forum, a nonprofit group that works to improve privacy protections nationally and globally, said confusing health care privacy laws make it nearly impossible for a person browse health information that is expected to remain private.

“There is a lot of confusion among consumers about when our health records are protected by health privacy law or not,” he said. «It would be almost impossible for the average person who is not a privacy lawyer to know if a website is HIPAA protected or not.»

Dixon cautioned against concluding that mental health information is more widely traded than other personal information, saying the data brokerage industry is out of control.

“There is no possible way at this time that a human being, if they wanted to, could opt out of all the data brokering activity in the world,” he said.

«Remember, someone is buying this data, or there would be no business model for it,» he said.