Health Tech, Medical Data & Wearables
Your step count, sleep pattern, and mood logs are commercially valuable. They are also permanently sensitive in ways a stolen credit card number is not.
The Premium That Changed
Arjun had been using a fitness tracker for two years. He was active, his metrics were good, and he liked the data.
When his health insurance renewed, his premium increased significantly. The insurer cited "risk profile adjustments." He asked what data informed the assessment. The answer was vague.
Months later, he read a report: his fitness app's parent company had sold aggregated health data to insurance industry analytics partners. The sale was disclosed in the terms of service, under a clause about "improving services with trusted partners."
He had consented, technically. He had not understood what he was consenting to.
His data had travelled from his wrist to his insurer through three intermediaries, none of whom he had chosen.
What Is Actually Happening
$45B
projected value of the global digital health data market by 2026.
Health data is among the most commercially valuable personal data categories, and unlike financial data, it cannot be changed if exposed.
Source: Grand View Research Digital Health Market Report, 2025Therapy Notes Shared With Advertisers
A 2023 FTC investigation found that several major mental health apps shared user data, including session content and mood logs, with Facebook and advertising platforms. Data entered during emotional vulnerability was used for ad targeting.
23andMe Breach: 6.9M Users Exposed
The 2023 23andMe breach exposed genetic data on 6.9 million users. Genetic information is permanent, family-wide, and irreplaceable, exposure affects biological relatives who never consented to the service.
Wearable Data Sold to Insurers
Multiple major fitness platform operators have confirmed data sharing with insurance analytics companies. Data sold as "de-identified" can be re-identified using 3-4 additional data points the recipient already holds.
Healthcare: Top Breach Category
Healthcare data breaches hit a record in 2024. Medical identity theft lets attackers file insurance claims, obtain prescriptions, and receive care under your name, creating a permanent false medical record that can affect future treatment.
Five Health Data Risks
Fitness Tracker Data and Insurance Discrimination
Wearable data flows from device to app to cloud to analytics partners to data brokers. At the end of that chain, insurers and employers are documented purchasers. Most fitness app terms of service permit this transfer under broad "research and improvement" language.
Mental Health App Data Harvesting
Apps for anxiety, depression, and therapy record emotional states and personal disclosures. These data points face less regulatory protection than medical records in most jurisdictions. The intimate nature of what users share makes mental health app data particularly valuable to advertisers.
Genetic Testing Data Leaks and Family Exposure
Genetic data cannot be changed. A single breach exposes not just the user but every biological relative, many of whom never used the service. Family trees built in these platforms create networks of involuntary exposure that extend for generations.
Telemedicine Platform Vulnerabilities
Telemedicine platforms handle prescription data, diagnosis records, and consultation content. Smaller platforms frequently lack the security standards of regulated healthcare providers. In 2024, multiple telehealth startups disclosed breaches affecting millions of patients.
Medical Identity Theft
Stolen medical credentials allow criminals to obtain prescriptions and file false insurance claims. False entries in the victim's medical record can persist for years and affect real treatment decisions.
Try It: Where Your Health Data Goes
Tap each stage to see who receives your wearable data, whether you consented, and what the documented real-world consequence is.
What That Just Showed You
Data travels far beyond the app you opened.
By the time wearable data reaches an insurer or employer, it has passed through the device, the app, cloud storage, analytics platforms, and data brokers. You interacted with one of those. You had no knowledge of the others.
Consent was given. Understanding was not.
Every data transfer in the flow was disclosed in terms of service. The consent was technically valid. The downstream uses — insurance pricing, employment screening — were not explained in plain language at the point of sign-up.
Health data consequences are permanent.
A stolen password can be changed. Exposed health data cannot be recalled. It exists permanently in the records of every organisation that received it, with no practical mechanism for correction or removal.
Three Things Worth Doing
1. Treat health app data like financial data. Before installing any health app, search its privacy policy for "share." Every result is a data transfer you should evaluate.
2. Disable unnecessary sensor collection. Most apps work adequately without continuous heart rate monitoring or location tracking. Turn off what you are not actively using.
3. Submit a data deletion request for apps you no longer use. Under GDPR (EU), DPDPA (India), and CCPA (California), you can request deletion of your data. Do this for any health app you have stopped using.
One Question Before You Continue
Arjun's fitness data was described as 'de-identified' before being shared with insurance analytics partners. Why does this not guarantee his privacy?