As soon as COVID-19 struck, the need for mental health services increased, and because in-person care was prohibited, many turned to digital services, resulting in a worrisome breach of data privacy.

Digital mental health service applications capture, aggregate, and sell sensitive mental and physical health information, according to a data brokerage study done by the Duke Sanford School of Public Policy. In many instances, these services were not subject to HIPAA laws.

The purchasers of personal health information include banks and other financial companies, US law enforcement authorities, advertising firms, insurance providers, and con artists.

Some digital health service platforms priced their users’ health information between $200 and $5,000, while others offered monthly memberships for $75,000 to $100,000.

So, what is being sold? The survey revealed that some firms sold data on anonymous users, while others offered information such as an individual’s age, sex, race, postal code, and mental health status.

The Federal Trade Commission filed an order with the Justice Department earlier this month against GoodRx, a leader in American healthcare and operator of a telemedicine network, for illegally exchanging user information with advertising giants such as Facebook and Google. Since then, the business has agreed to pay a $1.5 million punishment. If the lawsuit is successful, GoodRx would be prohibited from exchanging sensitive personal information with third parties.