Unprotected: The Growing Gap Between Health Data Collection and The Laws Designed to Regulate It
By: Adian Abed / Edited By: Grace Park
GuardDog Telehealth is a now-barred company facing a major lawsuit after admitting they accessed patient medical records under unethical pretenses to channel them to law firms. GuardDog’s business was initially built around requesting, reviewing, and summarizing medical records to sell to attorneys looking for plaintiffs in class action lawsuits, but it is currently under scrutiny. Epic Systems, the nation’s largest provider of electronic health records, filed the lawsuit in January 2026, alleging GuardDog exploited health information exchange networks, systems designed to allow doctors to share private records for treatment by acting as legitimate healthcare providers. This act left 300,000 patient records to be improperly accessed across a network of companies, leaving thousands of individuals with no control over their most private medical information without ever knowing it. Federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), exist to ensure privacy and control over personal medical data, yet with the rise of health and wellness apps, HIPAA has not yet been extended to ensure protection. As the world digitally progresses, it’s unclear if the current regulations over medical data are enough to protect people anymore.
Current estimates show that around 7.4 billion smartphones are in use, accounting for roughly 87 percent of the mobile phones that are used globally. Research regarding the digital adoption of health and wellness apps finds that more than 60 percent of these users engage with at least one kind of health and fitness app, with 55 percent of them relying on activity tracking features. A 2022 empirical study by Deakin University found nearly 50 percent of Bluetooth services used proprietary, vendor-specific protocols, pointing back to a lack of standardization in how health data is collected and transferred. The authors noted, however, that their methodology could not conclusively trace where the data was being sent or for what purpose, underscoring the very lack of transparency their findings suggest. Typically, applications will request access to sensors such as cameras and GPS, and automatically start tracking without a clear indication of how the data is used. In many cases, medical data can be handed over to third-party trackers the moment the user accepts the terms of service. Typical intake questionnaires — covering demographics or medications taken — are analyzed far more deeply by companies than users might expect when casually tapping through them. Researchers from the Wharton School found that even basic information, like age and weight, is recorded and used for purposes that may have nothing to do with the app's functionality. Sensitive user information was also found to be distributed across apps, advertising networks, or sold to third-party companies and data brokers.
Medical privacy law is mainly referenced back to HIPAA, which generally protects health information. It applies to what the law defines as “covered entities” or “business associates” — hospitals, doctors, health insurance companies, etc. HIPAA acts in mandating rules and regulations to be set around where and how medical records are stored and shared, resulting in serious consequences for the provider if broken. Yet if an entity does not meet the definition of these entities, it does not have to comply with HIPAA. This is the gap that occurs in data regulation. Popular health and fitness applications do not qualify as patient care organizations, and thus are not bound to any requirement when the user freely provides information. This means these companies can legally share, sell, or transfer health data to advertisers, data brokers, or third parties without the consent or safeguards usually expected from a doctor's office. The non-covered companies can usually do whatever they want with a user's data as long as it is accepted in the terms and conditions, which are rarely read.
These gaps aren’t one-in-a-million hypothetical situations, and unethical actors exploiting systems meant to keep health data flowing safely can affect thousands or even millions of users. Flo, a popular mobile app used for tracking menstrual cycles and pregnancy, affected approximately 38 million individuals in their recent class-action lawsuit regarding illegal data sharing. But even when companies are following the law, the lack of regulation shows that data is still vulnerable. According to a 2019 report by UNSW Sydney researchers, 81% of the top-rated apps for depression and smoking cessation shared data for marketing and advertising purposes. This is not a breach—it is a business model.
Some states have seen and started trying to fill these gaps on their own. Washington’s My Health My Data Act in 2023 introduced new state-level protections for consumer data not covered by HIPAA. It was designed to specifically fill the gap in HIPAA by covering health data collected by companies not bound to federal law — including fitness trackers, wellness apps, and websites. This law requires companies to receive explicit consent before collecting or sharing any consumer health data, providing users with knowledge of where their data goes and the right to delete their data, while prohibiting the sale of health data without any signed authorization. Unlike HIPAA, this act allows the users to obtain a private right of action, giving the right to the consumer to directly sue companies for any violations. California’s Consumer Privacy Act also offers overlapping protections, and other states—Nevada, Connecticut, Illinois, New York, and Hawaii—have already enacted or introduced similar laws. However, without a comprehensive federal law that goes beyond HIPAA’s definition of covered entities, protection as a whole continues to leave users vulnerable.
The recent advancement of artificial intelligence has further complicated the health data landscape, raising privacy concerns that existing regulations were never designed to address. Medical AI is rapidly advancing, ranging from algorithms that detect cancer in imaging scans to various models being released to predict sepsis risk in hospital patients. All of this depends on massive datasets built from real patient records. HIPAA states that once records are properly de-identified, they are no longer considered protected health information and do not fall under HIPAA regulations. With this, hospitals and research institutions are then allowed to feed AI systems without needing explicit consent. The issue is that "de-identified" is not “anonymous.” In early 1997, researcher Latanaya Sweeny demonstrated that voter registration data, combined with other public records, could be used to re-identify medical records. In 2018, patients were re-identified using de-identified HIPAA-compliant datasets cross-referenced with public newspaper articles. AI has only accelerated this risk. Researchers at FAU Erlangen-Nürnberg's Pattern Recognition Lab observed that deep learning systems can now identify whether two chest X-rays belong to the same person, with over 95% accuracy. This effectively turns medical images into a biometric fingerprint, showing that “harmless data” like age and zip code, when combined with external databases, can be used to identify patients with alarming accuracy.
AI-driven medical research has the potential to now save lives,improve diagnostics, and personalize treatments in ways humans have not been able to do before, but it creates an ethical contradiction if the data powering these breakthroughs contains the ability to be traced back to people without knowledge or consent. With this, the promise of privacy was never there to begin with.
The gap between the pace of health data, digital applications, and the legal frameworks designed to regulate it continues to widen, raising pressing questions about the path moving forward. HIPAA was enacted in 1996 when health information was still widely stored in paper files, with electronic health records slowly beginning to emerge. Given the modernization of technology, devices are now designed to detect heart attacks, and AI models exist that learn from de-identified medical images; adaptation is required. Patchwork from state laws in Washington's My Health My Data Act sets a leading step towards the right direction, yet a person’s data shouldn’t be protected depending on the state they are in.
The current legislation leaves noteworthy gaps in health data protection. HIPAA’s scope remains limited to covered entities, leaving the vast majority of apps, wearables, and data brokers that collect sensitive health data to be regulated outside federal law. There is no consistent federal standing granting individuals explicit privacy protections and ownership over their health data, nor any uniform requirement for informed and meaningful consent that data is shared, sold, or used to train AI systems. While state standings like Washington’s My Health My Data Act and California’s Consumer Privacy Act have begun to address these gaps, a fragmented patchwork is created rather than a cohesive system. Meanwhile, companies continue to initiate billion-dollar products from user-generated health data under terms of service agreements that a few consumers truly read or fully understand. What emerges is an underlying disconnect between what technology collects and what individuals can control — one that existing laws have yet to resolve.
