The number of healthcare breaches is staggering.

• Between 2009 and 2023, healthcare institutes reported nearly 6,000 healthcare data breaches of 500+ records to the Office for Civil Rights (OCR).
• As a result of these breaches, more than 519 million healthcare records were exposed.
• The frequency of data breaches has more than doubled in recent years, averaging two breaches of 500+ records reported each day in 2023.

In light of the number of breaches, it may be a bit surprising how many patients continue to trust healthcare organizations with their personal data provided it is used to improve their health and wellness. As McKinsey & Company found in a 2024 survey, nearly three-quarters of patients are willing to give their health information to primary care physicians. More than 60 percent would willingly share their health data with health insurers, and another 25 percent might approve. At the bottom of the list are retail clinics, government and tech companies.

The juxtaposition of data breaches and trust is the dual edge of innovation. It’s safe to say that recent data privacy failures, including Meta Pixel and the Flo app which are discussed below, have made patients and regulators more cautious, leading to a rethinking of how health data is collected, used and protected.

Perhaps more than staggering number of healthcare data breaches, two data scandals shook the public’s trust.

1. Meta Pixel used on hospital websites tracking patient behavior
   A 2021 study of 3,700+ hospital websites determined that 98.6 percent of hospitals used at least one type of tracking code that transferred data to third parties. A 2022 analysis of the websites of the top 100 hospitals showed that one-third “used tracking technologies on their websites that transferred visitor data, including protected health information (PHI), to third parties.” In December 2022, the HHS’ Office for Civil Rights issued guidance to HIPAA-regulated entities, making it clear that website tracking technologies violate HIPAA unless there is a business associate agreement (BAA) or authorizations are obtained from patients.
2. Flo app sharing reproductive health data despite claims of privacy
   Flo, a fertility tracking app, told users it would not share data, but a lawsuit alleged the company allowed Meta to place a software development kit (SDK) in the app, enabling Meta to receive women’s period data that was used in targeted advertising. A 2019 Wall Street Journal story reported that Flo has provided period information to Meta, Google and other third parties. In July 2025, Flo settled the class action lawsuit. Terms of the agreement have not been disclosed.

The consequences have been regulatory action, loss of user trust, and a wake-up call for the entire industry.

Healthcare Data is Uniquely Sensitive

Healthcare data is much more than names, addresses and emails. It’s clinical records, genetic data, mental health, reproductive history and more. Misuse of this data can result in stigma, discrimination and loss of autonomy. The uniquely sensitive nature of healthcare data and concerns about the possibility of data being sold or used without consent is why some urged 23andMe customers to delete their data when the company declared bankruptcy. At the risk of restating the obvious, healthcare providers, researchers and tech companies have ethical responsibilities to protect patient healthcare data.

Special Considerations for Sensitive Therapeutic Areas

The Flo app’s disclosure of reproductive health data to Meta, Google and other third parties is a vivid example of a sensitive therapeutic area for which extra care is needed. Mental health, HIV, stigmatized conditions and rare disease research as well as vulnerable populations also necessitate special considerations. These sensitive therapeutic areas highlight the importance of community engagement and ethical data stewardship. Ethical data stewardship is the responsible and morally sound management of data throughout its entire lifecycle. It involves ensuring data is handled in a way that respects individual privacy, promotes fairness, and maintains transparency in all data practices.

Healthcare Organizations Build Trust Through Transparency

There are three critical ways to build patient trust through transparency:

1. Clear and accessible privacy policies and data-use disclosures
2. Meaningful, informed consent that is not buried in legalese
3. Giving individuals control through opt-in mechanisms, data access requests, and deletion rights

Even better is designing for privacy, not just compliance. Rather than retrofitting, employ privacy-by-design as a core principle. Central tenets include role-based access, audit trails and data minimization. Savvy organizations use the best practices of encryption, secure identify verification and data retention to protect data and improve patient trust.