Security6 min read

Your Health Data Should Be Encrypted: Why Privacy Matters

Health data is 50x more valuable than credit card data on the dark web. Here's why encryption isn't optional—it's essential.

The Hidden Value of Your Health Data

According to Trustwave's 2018 Global Security Report, medical records sell for $250-$1,000 per record on the dark web, while credit card numbers go for $5-$110. Why? Your credit card can be canceled. Your medical history is forever.

What Criminals Do With Health Data:

  • Medical identity theft: File false insurance claims, obtain prescriptions, receive medical care under your name
  • Extortion: Threaten to reveal sensitive conditions to employers or family
  • Insurance fraud: Use your clean medical history to obtain coverage
  • Targeted scams: Craft personalized phishing based on your conditions

The Breach Epidemic

Healthcare data breaches are skyrocketing. According to the HHS Office for Civil Rights:

  • 2023: 725 healthcare data breaches affecting 133 million records
  • 2022: 707 breaches affecting 51.9 million records
  • 2021: 686 breaches affecting 45.1 million records
  • Average breach size: 183,000+ records per incident

Source: HHS Office for Civil Rights Breach Portal, 2024

Beyond Criminal Threats

Even without breaches, unencrypted health data poses risks:

1. Corporate Surveillance

Many health apps sell anonymized data to brokers. But researchers from Imperial College London showed in 2019 that 99.98% of Americans could be re-identified using just 15 demographic attributes.

2. Insurance Discrimination

While the Genetic Information Nondiscrimination Act (GINA) exists, it doesn't cover life insurance, disability insurance, or long-term care insurance. Your fitness tracker data isn't protected at all.

3. Employment Risks

Wellness programs can share aggregate data with employers. Individual data "accidentally" linked to employees has led to discrimination lawsuits.

4. Government Access

Law enforcement has obtained health data through warrants, subpoenas, and third-party doctrine. In 2023, multiple cases involved reproductive health data being used in prosecutions.

HIPAA Isn't Enough

Many people think HIPAA protects their health data. Reality check:

HIPAA Doesn't Cover:

  • • Fitness trackers and smartwatches
  • • Direct-to-consumer genetic tests
  • • Health apps (unless connected to a covered provider)
  • • Wellness programs (in most cases)
  • • Search history about health conditions
  • • Social media posts about health

A 2024 study in JAMA found that only 28% of health apps even mention HIPAA, and most that do aren't actually covered by it.

Real-World Consequences

Documented Cases:

  • 2018 Strava Heat Map: Fitness app data revealed secret military base locations and patrol routes
  • 2016 Denmark Study: Researchers identified individuals in "anonymous" HIV and mental health databases
  • 2023 GoodRx: Shared users' prescription data with Facebook and Google without consent (FTC fine: $1.5M)
  • 2022 BetterHelp: Shared therapy intake data with advertisers (FTC fine: $7.8M)
  • 2025 Oura Ring Military Partnership: Smart ring manufacturer Oura expanded its partnership with the US military, sparking backlash over potential health data sharing. Users expressed concerns about privacy and government surveillance of their biometric data. (TechCrunch, Tom's Guide)

What Real Encryption Looks Like

True health data protection requires:

End-to-End Encryption

Data encrypted on your device before transmission. Even the service provider can't read it.

Zero-Knowledge Architecture

Your password never leaves your device. The service can't decrypt your data even if compelled.

Local Key Storage

Encryption keys stored on your device, not in the cloud. You control access completely.

Protecting Yourself Today

Immediate Actions:

  1. 1. Audit your apps: Delete health apps you don't actively use
  2. 2. Read privacy policies: Look for "sell," "share," and "third-party"
  3. 3. Use fake data: For non-medical apps, consider using aliases
  4. 4. Opt out: Always decline data sharing when possible
  5. 5. Choose encrypted services: Prioritize apps with end-to-end encryption
  6. 6. Download your data: Regularly export from services you don't trust
  7. 7. Use separate emails: Don't link health apps to your primary email

The Future We're Building

At PerformanceOS, we believe your health data deserves bank-level security—actually, better. Banks can see your transactions. We can't see your health data.

We use AES-256-CBC encryption, the same standard used by the military. Your data is encrypted before it leaves your device, is transmitted over TLS 1.3, and stored in encrypted form. Only you hold the keys.

"Privacy is not about hiding things. It's about protecting things. Your health data is among the most intimate information about you that exists. It deserves the highest level of protection."

Take Control

One last note: if the product is free and there's no clear business model, you're probably the product. Choose services that prioritize your privacy and security, and allow you to own and control your data uploads, downloads, and deletions.

Learn About Our SecurityTry Encrypted Health Tracking

References:

  • • Trustwave. "2018 Trustwave Global Security Report." Trustwave Holdings, 2018.
  • • HHS Office for Civil Rights. "Breach Portal: Notice to the Secretary of HHS Breach." 2024.
  • • Rocher, L., Hendrickx, J.M., de Montjoye, YA. "Estimating the success of re-identifications in incomplete datasets." Nature Communications, 2019.
  • • Grundy Q, et al. "Data sharing practices of medicines related apps." JAMA, 2024.
  • • Federal Trade Commission. "FTC Order Against GoodRx." FTC.gov, 2023.
  • • Federal Trade Commission. "BetterHelp Settlement." FTC.gov, 2022.