Skip to main content

The Private Health Information You Share with Mental Health Apps is Not So Private

Posted by on Tuesday, January 16, 2024 in Blog Posts.

By Phoebe Hebson

According to the U.S. Department of Health and Human Services, large breaches of health care data exposed the medical information of over eighty-eight million individuals in the first ten months of 2023 alone.[1] Health data can be lucrative for hackers–TechCrunch in December reported on a hacker offering to sell 300 terabytes of allegedly stolen 23andMe user data[2] for $50 million, or smaller batches of the data for up to $10 million.[3]

Individuals’ personal health information has a market. And, unlike the data stolen from 23andMe,[4] some of this data enters the market legally.

Mental health applications, such as Headspace and BetterHelp, can offer cost-effective and accessible mental health treatment to patients.[5] They also present an opportunity to shrink the mental health treatment disparity present in the United States today, a clear benefit of the mobilization of health care.[6] And yet, not discounting these advantages, mental health apps also present a privacy risk to users.[7]

Mental health apps generate private medical data.[8] A lot of it.[9] And because the Health Insurance Portability and Accountability Act (HIPAA) does not apply to most mental health apps,[10] this data can be shared or sold–legally–to third parties, even without user consent.[11] Apps can sell patient information such as email addresses, IP addresses, and even sensitive information provided on a health intake questionnaire (for example, whether the individual is taking medication) to third parties, such as data brokers or large online platforms.[12] In fact, in March of last year, the Federal Trade Commission (FTC) filed a complaint against BetterHelp for selling this very kind of information to platforms for lucrative advertising purposes.[13] The complaint was based not on the act of selling the data, but rather on BetterHelp’s broken “promis[es] to keep [consumers’ health information] private and use it only for non-advertising purposes such as to facilitate consumers’ therapy.”[14] In July 2023, the FTC ordered BetterHelp to pay $7.8 million in partial refunds to consumers and prohibited the service from sharing patients’ health data for advertising purposes.[15]

FTC enforcement action, however, is an insufficient placeholder for privacy regulation.[16] And although HIPAA has yet to address data privacy practices by mental health apps, state regulation may be picking up the slack.[17] In 2022, California amended its Confidentiality of Medical Information Act to subject mental health applications to the same privacy standards as those imposed on traditional health care providers, including the obligation not to sell or otherwise disclose an individual’s health information without the individual’s consent.[18]

Considering that the use of mental health apps grew 54.6% from 2019 to 2021,[19] while California is the first state to adopt privacy regulations governing mental health apps, it is likely not to be the last.[20]

Phoebe Hebson is a 2L at Vanderbilt Law School.

[1] Press Release, Fed. Trade Comm’n, HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation (Oct. 31, 2023) (; Knvul Sheikh, Your Health Information Was Hacked. What Now?, N.Y. Times, (Dec. 7, 2023),,display%20names%20and%20uploaded%20photos.

[2] See Addressing Data Security Concerns, 23andMe (Dec. 5, 2023, 2:45 PM),

[3] Lorenzo Franceschi-Bicchierai & Zack Whittaker, 23andMe Says Hackers Accessed ‘Significant Number’ of Files About Users’ Ancestry, TechCrunch (Dec. 1, 2023),

[4] See, e.g., Computer Fraud and Abuse Act, 18 U.S.C. § 1030.

[5] Pooja Chandrashekar, Do Mental Health Mobile Apps Work: Evidence and Recommendations for Designing High-Efficacy Mental Health Mobile Apps, National Library of Medicine (Mar. 23, 2018),

[6] Nicole Rapfogel, The Behavioral Health Care Affordability Problem, Center for American Progress (May 26, 2022),; Eugenie Park & Darrell M. West, Why Mental Health Apps Need to Take Privacy More Seriously, Brookings Institution (Nov. 30, 2023),

[7] Park & West, supra note 6; see, e.g., Mitchell Clark, BetterHelp Shared Customer Data While Promising it Was Private, Says FTC, The Verge (Mar. 2, 2023), (individuals’ private medical data sold without their knowledge or consent).

[8] Park & West, supra note 6.

[9] Id.

[10] Christine Moundas & Elana Bengualid, Calif. Privacy Law Holds Implications for Mental Health Apps, Law360 (Feb. 1, 2023, 6:51 PM),

[11] Joanne Kim, Data Brokers and the Sale of Americans’ Mental Health 2 (Duke University’s Privacy Policy Lab, 2023),

[12] FTC Gives Final Approval to Order Banning BetterHelp from Sharing Sensitive Health Data for Advertising, Requiring It to Pay $7.8 Million, Fed. Trade Comm’n (July 14, 2023),; Kim, supra note 11.

[13] Press Release, Fed. Trade Comm’n, FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising (Mar. 2, 2023) (

[14] Complaint at 2, In the Matter of Betterhelp, Inc., A Corp., Also d/b/a Compile, Inc., Also d/b/a Mytherapist, Also d/b/a Teen Counseling, Also d/b/a Faithful Counseling, Also d/b/a Pride Counseling, Also d/b/a Icounseling, Also d/b/a Regain, Also d/b/a Terappeuta., No. 202-3169, 2023 WL 4636171 (MSNET July 7, 2023).

[15] FTC Gives Final Approval to Order Banning BetterHelp from Sharing Sensitive Health Data for Advertising, Requiring It to Pay $7.8 Million, supra note 12.

[16] See Park & West, supra note 6; Moundas & Bengualid, supra note 10.

[17] See Moundas & Bengualid, supra note 10.

[18] Moundas & Bengualid, supra note 10.

[19] Park & West, supra note 6.

[20]  Moundas & Bengualid, supra note 10.

Tags: , , , , , ,

Leave a Response