The recent revelation of what may be the biggest digital data heist in the history of the Internet – the accounts of about 500 million Yahoo users were breached by "state-sponsored" hackers in 2014 – shows, as never before, that some of our most sensitive information is always vulnerable to theft and could be used in ways beyond our control. Everything from passwords to online bank accounts to home addresses and phone numbers is at risk. The security of medical data is increasingly under threat, especially as health systems across the United States convert patients' thick paper files into electronic medical records; the U.S. Government Accountability Office reported last month that health data breaches exposed 113 million patients' records to potential theft and fraud in 2015 alone.

Yet the danger of catastrophic hacks, while real, is eclipsed by the intrusions made possible by the unfathomably huge amounts of data that all of us freely hand out. Much of our lives is now conducted digitally – think ATM machines or credit card swipes – or online. The data is so voluminous that algorithms can reconstruct our personal health information and put it up for sale to companies that will use it – and may well be using yours now – in ways that are perfectly legal while also outside our knowledge and control.

Their intent is not to directly benefit us but to market commercial products (some of which, their manufacturers would argue, are beneficial). Much of what we think of as very personal and private ends up with some of the most powerful companies in the "Big Data" industry. Experian, for example, claims to hold consumer profiles on 98 percent of American households through its marketing services arm.

Privacy laws such as the federal Health Insurance Portability and Accountability Act (HIPAA) provide a false sense of security. HIPAA does forbid disclosures for most marketing purposes by hospitals, doctors, and the associated third-party businesses that verify your prescriptions and approve medical procedures. Yet every time you search online for information about diabetes, upload your heart rate from your Fitbit device to a smartphone app, sign up for a "wellness" program at work in exchange for discounted health insurance premiums or use your pharmacy's loyalty card when purchasing prenatal vitamins, your private health data is collected, disclosed, and shared by companies that turn it into cash. All of this is outside the protective umbrella of privacy laws.

Once a patient's health data ends up in the databases of consumer data companies like Acxiom, one of the largest data brokers in the U.S., or health informatics giant IMS Health in Plymouth Meeting, her private health information becomes public consumer marketing information.

Harvard University data scientist Latanya Sweeney's team works with The Data Map, an interactive online tool that helps patients track where all their data may go within the healthcare system and beyond. The researchers have shown how ubiquitous our digital health data has become, made all the more lucrative to the Big Data companies that trade in large amounts of consumer information. Sweeney and her team have illustrated how those data brokers can connect you with your disembodied health information using as little as two points of data, say, a zip code and the GPS location data on a phone.

Your health data need not go online in order to be captured and traded; it merely has to be digitized. Earlier this year in the United Kingdom, Google's DeepMind project had to defend its partnership with the Royal Free Hospital in London to develop an app for in-hospital use to help identify and treat acute kidney injuries. The issue: the data company would have access to sensitive and private health information on 1.6 million National Health Service patients.

Nor must your personal information be directly about your healthcare to be valuable. All that database marketers have to do is make inferences—educated guesses about the data they hold on you—using highly sophisticated analytics. If you've been buying blood-testing strips at your local pharmacy and also using your phone to search for low-glucose diets, the data brokers' algorithms will guess that you have diabetes. By combining these bits of data with other points of useful information, marketers can piece together a personalized consumer profile and sell directly to you—flyers advertising products for diabetics may show up in the mail or on your computer. As far as our health is concerned, nothing is private.

The huge gap between the privacy laws for health data and the practices of the consumer data industry is a looming concern for regulators at the Department of Health and Human Services, the federal agency that oversees HIPAA. As a result of the HHS Data Protection Act, a new data oversight officer was scheduled to begin working with regulators on Oct. 1 to address the security of health data that is outside of HIPAA's reach.

How much will change? Given the profits that can be made from collecting private health information—health data is often called "the new oil" at many health data conferences I've attended—industry practices tend to stay one step ahead of the law.


Mary Ebeling, an associate professor of sociology at Drexel University, researches health data and marketing. Her latest book, "Healthcare and Big Data: Digital Specters and Phantom Objects," will be published by Palgrave Macmillan this month.

 Read more about The Public's Health.