The market for de-identified health data is large, legal, and largely invisible to the patients whose data is being traded. Pharmaceutical companies, researchers, marketing firms, and ad-tech platforms all buy versions of your prescription history, your diagnoses, your provider visits.
Who buys it
The biggest known buyer is IQVIA — formerly Quintiles + IMS Health — which processes prescription data covering roughly 93% of US dispensing. LexisNexis Risk Solutions builds patient identifiers for fraud detection and pharma research. Optum (UnitedHealth’s analytics arm) sells de-identified claims data. Ad-tech platforms like Google and Meta have been repeatedly caught receiving identifiable health-app data through tracking pixels.
Why “de-identified” doesn’t mean private
The HIPAA Safe Harbor de-identification standard requires stripping 18 specific identifiers from a record. The problem: many of those identifiers can be re-linked using publicly available datasets. A 2019 paper in Nature Communications showed that 99.98% of Americans could be re-identified from any “anonymized” dataset using just 15 demographic attributes.
Full investigation coming soon.