Electronic Health Data is Vulnerable Post Roe v. Wade

The possible overturn of the Supreme Court’s landmark Roe v. Wade decision would have far-reaching implications for the country, including in the data privacy realm. There’s deep concern that, if abortion is outlawed, private health data may be wielded by states as evidence in prosecutions.

Private Health Data or Admissible Evidence?

Although most of us are well aware that our personal data is regularly being collected, correlated and shared, it’s easy to underestimate the true size of our digital footprints. There are myriad mobile applications, IoT devices, GPS trackers and other devices collecting data that provide intimate insight into our personal health.

In the context of abortion, obvious data sources are health apps and IoT devices that track menstruation or ovulation cycles. Data voluntarily provided to these apps, such as a missed a period, could be used to conclude the user was pregnant, and resumption of menstruation in less than nine months, could be cited as evidence of an abortion.

During the COVID-19 pandemic, there’s been an explosion in the number of health applications collecting and disclosing data to comply with quarantine and contact-tracing requirements or to facilitate telehealth visits. Even a decade ago, it was surprisingly easy to deduce a person’s health status from seemingly innocuous purchase records. Now, unprecedented amounts of personal health information are stored and shared digitally.

Location data, gathered by a smartphone or other GPS-enabled device, could also be used to trace visits to abortion clinics or places that provide family-planning counseling. Although this information has little commercial value, it’s often collected for research purposes.

Web searches are another potential source of evidence for prosecutions. Search histories for information about abortion clinics or terms such as “abortion,” “termination of pregnancy” or “induce miscarriage” might be used to prove criminal intent. In 2017, prosecutors attempted to charge a Mississippi woman who’d experienced an at-home pregnancy loss with second-degree murder, using her online research into abortion drugs as supporting evidence.

Data Confidentiality

Confidentiality of personal health data, including information about fertility and pregnancy, cannot be assumed. Data about pregnancy or potential pregnancy is valuable to advertisers, and there are numerous sites that share this information with data aggregators for resale. Even if a company has privacy policies promising confidentiality, there’s no guarantee that they will adhere to those policies. In 2021, the Federal Trade Commission (FTC) finalized a settlement with Flo Health, Inc., for sharing users’ private health data in contravention of its stated policies. Despite assurances that user data would remain private, Flo’s period-tracking app shared information, such as user period cycles or indicated intention to get pregnant, with Facebook and other marketing and analytics firms. As part of the settlement, Flo Health was required to notify users about the disclosures and instruct third parties to destroy the shared data, but the company did not admit any wrongdoing. Furthermore, privacy policies can be changed at will or overridden by the legal process. If required by a court order, companies must disclose any relevant data they have.

How the Government Accesses Your Data

There are numerous precedents of federal and local law enforcement seeking and obtaining sensitive data in prosecution of a suspected crime. In a well-known case, the FBI sought to compel Apple to unlock the iPhone of a terrorist involved in the San Bernardino shootings in 2015. Apple pushed back against this demand, but it likely would’ve complied had the data been stored in the cloud, rather than on a physical device.

A growing trend has been the use of geofence warrants to identify suspected criminals based on their proximity to the crime scene. These warrants allow law enforcement to search a database for all active mobile devices in a particular area within a specified time frame. Google’s Sensorvault is the most prominent such database, containing location data extracted from hundreds of millions of mobile devices that is stored indefinitely. Google received nearly 12,000 geofence warrants in 2020.

If abortion becomes a crime in some states, prosecutors could potentially use geofence warrants to seek all phone numbers near an abortion clinic at a given time to link the owners to a terminated pregnancy. Forty members of congress recently called on Google to cease collecting and storing extensive location data, lest it be forced to aid in potential abortion prosecutions. Geofence warrants are often challenged under the Fourth Amendment as unreasonable searches, but they have yet to be definitively ruled unconstitutional.

Moreover, even if the government is blocked by the courts, law enforcement can always buy its way around them. Although legislation has been proposed to ban the practice, there are currently no laws preventing the government from buying information from data brokers that it would otherwise need a search warrant to obtain.

Data Protection Laws

Data privacy laws will have newfound importance in a post-Roe v. Wade country, which may spur efforts to strengthen existing legal protections. However, current legislation protecting data privacy is quite limited.

The Electronic Communications Privacy Act (ECPA) governs access to records held by communications service providers, such as Gmail and Verizon. Also known as the Stored Communications Act (SCA), the ECPA defines legal requirements that the government must meet to access these records, among which is demonstrating a reasonable possibility of criminal activity. If abortion is made illegal, suspicion of terminating a pregnancy could meet this requirement. It’s currently unclear whether the ECPA applies to records collected from IoT devices and stored by the manufacturer.

One might expect that the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996 to protect private health information from unauthorized disclosure, would serve as a bulwark against efforts to obtain sensitive health information without consent. However, it’s provisions only apply to health records maintained by doctors, hospitals, insurance companies and their business associates. Direct-to-consumer health apps or health devices used by an individual, such as a health app that tracks menstruation dates or a fertility monitor purchased from a drug store, fall outside HIPAA’s purview, leaving vast troves of digital health information unprotected.

The FTC’s Health Breach Notification Rule does enforce some accountability from companies storing health information not covered by HIPAA. The rule applies to any businesses that offer or maintain electronic records of “identifiable health information on an individual,” such as data recorded by fitness tracker apps. However, the rule merely sets forth requirements for notifying consumers that a breach has occurred. It does nothing to actually protect the data from compromise.

Unless the overturn of Roe v. Wade prompts Congress to pass new laws safeguarding private health data from prosecutors, the primary responsibility will fall on individuals to protect themselves.

Guarding Your Privacy

Should the Supreme Court reverse the Roe v. Wade decision, approximately half of the states are expected to ban abortion. In this scenario, residents should consider taking these steps to protect their health information:

  • Turn off location tracking on your phone before traveling for abortion services, including abortion counseling. Or, better yet, leave your phone and other electronic devices at home. Even with GPS-tracking disabled, the location of a cell phone can still be determined using the information it provides when pinging the nearest cell tower.
  • If you plan to text or chat about abortion-related decisions, use a secure messaging app like Signal to encrypt your messages.
  • Use privacy-focused web browsers, such as Brave or Duck Duck Go, that promote anonymity and don’t save search queries.
  • Avoid using IoT devices or related apps that collect health data if there’s any chance you may consider an abortion in the future. If you do use these devices, opt to store the data locally rather than in the cloud.
  • If you forget to follow any of the steps above, all is not lost. In many cases, you can get your data deleted by submitting a request to the relevant website or device manufacturer.

At MBL Technologies, we take individual and company data privacy seriously. That’s why we stay at the forefront of the latest threats to your information. If you’re looking for data privacy or cybersecurity expertise, please let us know. We’re here to help.

Learn more about our diverse set of technology services for the federal and commercial markets.