Growing nearly twice as fast as the global economy, the wellness market has quickly become a $4.2 trillion industry and wellness providers will need to consider data privacy measures in the future.
According to the Global Wellness Institute, the wellness industry is developing at a rapidly historic rate. The industry experienced a 12.8% growth increase from 2015 to 2017. Employers also express an interest in using wellness products in their workplaces.
While the services wellness providers offer are exciting, some ramifications of how wellness providers use data are not transparent. In an industry where, “data is shared with and passes through many partners,” as said by the executive director at the Center for Genetics and Society, wellness providers should consider privacy concerns and marketing proactive data security measures.
23andMe, for example, allows clients to provide genetic information to discover potential health problems or family members. To provide more services, 23andMe allows consumers to send their genetic data to a partnering biotech company, Genentech. Genentech experienced a breach in 2011. There are also reports, some Genentech employees present insider threats.
Let’s review our top ten recommendations to boost market sales, earn consumer trust, and gain a competitive advantage by addressing these three critical data privacy concerns:
Currently, there are no federal regulations to stop law enforcement agencies from using genetic data from companies such as GEDMatch, Ancestry, or 23andMe. These companies collect genetic data to find potential health problems or family members of consumers.
Law enforcement agencies use genetic data to identify familial relations of suspected criminals. In fact, police used data from the open source platform GEDMatch to identify the notorious Golden State Killer.
Companies, such as 23andMe attempt to protect consumer data by only providing law enforcement agencies data when required, such as by a subpoena. 23andMe also provides law enforcement agencies data when consumers agree to sharing their data. View the 23andMe Guide to Law Enforcement here.
This means rules a consumer established with a wellness provider at one point may change at a later date. Since a wellness provider can send data to other organizations, who can use data for numerous purposes, some of the conditions consumers sign can also pose irreparable data privacy concerns.
Finally, the wellness industry is a relatively new aspect of healthcare that hasn’t had the same scrutiny regarding the storage and processing of customer data. Whereas health insurers, medical practitioners, and hospitals understand the importance of securely maintaining patients’ medical information, the majority of wellness apps don’t fall under the purview of HIPAA. Wellness providers are therefore free to use their consumers’ data as they please, so long as it is anonymized.
Moreover, unlike network capable medical devices, the FDA does not regulate wellness devices or apps, leaving security implementation solely on manufacturers. This has inevitably led to security considerations being marginalized.
In 2018 it emerged that FitMetrix, a fitness technology company, failed to secure several of its servers with password protections resulting in exploitation of 113 million data records. Each record included the user’s name, gender, email address, profile picture, emergency contacts, and other personally identifiable information.
Companies may be able to establish a forward-thinking persona by managing data in a manner that consumers appreciate before federal or state mandates require businesses to protect consumer interests.
The wellness industry is experiencing a significant increase in wearable devices equipped with network capable technology. These devices can range from simple step and heartbeat counters to advanced appliances that can monitor patients with cardiovascular diseases and more serious conditions.
Cloud centric risks are also a concern for wellness device providers. Many pieces of wellness technology are synced to a cloud application to aid in the retrieval of user information from multiple devices. The poor security measures inherent in wellness devices means that they can potentially be used as a launch point, or attack vector, by cybercriminals infiltrating a network to steal or corrupt sensitive information.
In an attempt to lower health insurance costs, increase productivity, and boost employee morale, many organizations are starting to offer business-sponsored wellness plans as a part of their employee benefits.
Wellness plans raise data privacy concerns. How are businesses expected to use the data gathered from these wellness devices? Will it be to solely encourage a healthier workforce? Or will corporations sell employee data to increase profits?
In addition, although it is against US law to discriminate against employees based on physical attributes, there is a possibility employers could use the data to influence personnel advancement.
Those seen to be healthier, and therefore less of a health insurance risk, could be given preferential treatment in promotion scenarios, which in turn, if proven, could result in discrimination charges against the business.
Wellness apps, which can be used in conjunction with wellness devices or as a standalone tool, similarly pose risks to user privacy. The information collected is often extensive and when not stored properly could be used to identify users and their habits.
Consider Ovia apps. They are designed to monitor menstrual and ovulation cycles for women trying to conceive or track the pregnancy of expectant mothers.
Employers can pay to access aggregated data to identify, for instance, when new or expectant mothers are projected to return to work. These types of issues rarely receive widespread attention in the public domain. There is clearly a disconnect between consumers’ use of wellness apps and their understanding of how their information is used.
Most consumers remain unaware of what information is collected, how that information is stored, and most importantly who it is sold to or how it is ultimately used.
Advertising agencies, analytics companies, and social network organizations are all potential buyers. While the storage of personal information is supposed to be anonymized, an organization could potentially combine two sets of separately sourced data and compare device IDs, usernames, or email addresses, to identify users.
VerSprite offers two kinds services to assist wellness providers with handling data in a secure manner.
For businesses concerned with their own data privacy practices, VerSprite’s Governance, Risk, and Compliance (GRC) team offers consultations for complying with state, federal, and international regulations.
Additionally, VerSprite’s Geopolitical Risk (GPR) team provides a variety of specialized services to help businesses conduct thorough due diligence, vet vendors and partners, prepare for expansion, and assess the effectiveness of current or planned strategies. Businesses working with partnering companies should also consider merger and acquisition and joint business services.