Digital Frontier Alliance
Data & Privacy Resource Hub
Key Insights
-
The data brokerage industry is largely unregulated, and the global market - estimated around $300 billion - continues to grow (link 1 and link 2)
-
Michigan's Medicaid programs serve vulnerable adults and children with low-income and exceptional service needs (link 1 and link 2)
-
Active military and veterans' sensitive health, financial, and other data were advertised on the unregulated global market (link)
-
Federal HIPAA law lets “de-identified” health data be shared with private companies, but AI is learning to re-link that data back to you—and the law doesn’t protect you (link)
-
Health data fetch some of the highest prices on the dark web (link)
Data for Sale: Studies and Legal Action
Data for Sale: Need for Transparency & Accountability
More Findings and Resources
Recent Healthcare Data Breaches
For a comprehensive list of recent breaches please, see the article below:
Healthcare Data Breach Statistics – Updated for 2026
HIPAA Journal. Posted By Steve Alder on Feb 26, 2026
2024: Change Healthcare
(a UnitedHealth subsidiary)
190 million+ exposed
2024-25: Blue Shield CA
4.7 million exposed*
2025: Yale New Haven Health
5.5 million exposed**
Blue Shield CA: Google Analytics was configured on the Blue Shield CA website in a way that resulted in sensitive member data being shared with Google Ads for almost 3 years
*Blue Shield of California Announces Impermissible Disclosure of PHI to Google Ads: 4.7 Million Affected. HIPAA Journal. Posted By Steve Alder, April 24, 2025.
Yale New Haven Health: Sensitive medical records of millions were hacked in a cyberattack.
**Yale New Haven Health Agrees to $18 Million Data Breach Settlement. HIPAA Journal. Posted By Steve Alder, Oct 27, 2025.
Key Definitions
* De-identified healthcare data
De-identified healthcare data is medical information with details removed that could reasonably identify a person (such as name, address, full dates, or ID numbers). Under HIPAA, data are considered de-identified when these identifiers are removed or an expert finds the risk of re-identifying someone is very small, allowing the data to be used or shared with fewer privacy limits.
The data brokerage industry is a global market built on collecting, combining, and selling detailed information about people. It is rapidly growing as more data are generated from apps, devices, and online services. In healthcare, data brokers trade in de-identified and health‑related data, shaping advertising, insurance decisions, and risk scoring, while raising serious concerns about privacy, discrimination, and patient trust.
* Data brokerage industry
* HIPAA Federal law
HIPAA - The Health Insurance and Portability Accountability Act - is a U.S. law that was passed in 1996. It sets rules for how health information can be used and shared, and requires safeguards to protect patients’ privacy and security. However, it is outdated in the digital age and in the age of AI (link to HHS HIPAA home page).
Michigan Public Behavioral Health
�
* MI Medicaid serves appx. 2.6 million low-income children & families, elderly people, individuals with disabilities, and people who are pregnant annually
* 38% of MI Medicaid beneficiaries are children
* Public behavioral health includes intellectual and developmental disabilities, including autism, mental health services, and substance use disorder, among other services
* In MI, the Federal and State Medicaid funding, is managed by 10 local public Prepaid Inpatient Health Plans (PIHPs), private Health Plans, and 46 local Community Mental Health Services Programs (CMSHPs). Private service providers and vendors are contracted to provide services.
Michigan Office of Recipient Rights
* Mission and Vision: To protect and promote the constitutional and statutory rights of recipients of public mental health services and empower recipients to fully exercise these rights.
* Recipient Rights Handbook and Podcasts available here
* Codified in Chapter 7 of the Michigan Mental Health Code