CURE warns health data isn't private
- CURE’s February 12, 2020 article said medical records, genetic tests and health-related web activity can travel beyond a doctor’s office under existing rules. - The piece centered on a family surprise uncovered through Ancestry.com and warned that health-related data may be stored, linked and sold outside care. - The warning still fits a patchwork privacy system shaped by HIPAA exceptions, de-identification rules and FTC enforcement. (hhs.gov)
Your health information can move far beyond your doctor’s office, and CURE’s warning is not new: the article ran on February 12, 2020. (curetoday.com) The piece by Andrew Smith said records can be shared inside the health system and that health-related internet activity can also be collected outside it. (curetoday.com) Its opening example involved Haley Morgan’s family, where a relative’s test on Ancestry.com revealed an unknown granddaughter tied to Morgan’s father. (curetoday.com) That example was not about a hospital breach. It showed how one person’s genetic submission can expose relatives who never sent in DNA themselves. (curetoday.com) Inside traditional healthcare, the Health Insurance Portability and Accountability Act, or HIPAA, lets covered entities use or disclose protected health information for treatment, payment and healthcare operations. (hhs.gov) (ecfr.gov) HIPAA also covers “business associates,” the outside vendors that create, receive, maintain or transmit protected health information for providers and health plans. (hhs.gov) (law.cornell.edu) Once data is stripped of identifiers under HIPAA’s de-identification standards, it is no longer treated as individually identifiable health information under the rule. (hhs.gov) (ecfr.gov) That does not mean every health signal is protected the same way. Search terms, app activity and location trails often sit outside HIPAA unless a covered entity or business associate handles them. (ftc.gov) (networkforphl.org) Federal regulators have acted when those outside-the-clinic trails pointed to care. In January 2024, the Federal Trade Commission barred X-Mode Social and Outlogic from selling sensitive location data that could reveal visits to medical and reproductive health clinics. (ftc.gov) The Federal Trade Commission also said in 2023 that GoodRx shared users’ health data with advertising platforms and agreed to a $1.5 million civil penalty. (ftc.gov) (justice.gov) Protections around especially sensitive care have also shifted. A federal judge vacated the Biden administration’s reproductive-health HIPAA rule on June 18, 2025, leaving a state-by-state patchwork in place. (networkforphl.org) (hhs.gov) So the cleanest reading of CURE’s piece in 2026 is not that privacy disappeared overnight. It is that health data has long moved through legal channels, vendor contracts, de-identified datasets and consumer-tech pipelines that most patients never see. (curetoday.com) (hhs.gov)
