Healthcare data is one of the most valuable commodities on earth — and therapy data is the most sensitive slice of it. Here's what's actually happening to it, and why "HIPAA compliant" isn't the protection most therapists think it is.
Data brokers are companies whose entire business model is collecting personal information and selling it. There are thousands of them. They buy data from retailers, loyalty programs, apps, social networks, public records — and healthcare companies. They aggregate it, package it, and sell it to insurers, employers, advertisers, landlords, and governments.
This practice is legal, lucrative, and widespread: the data broker industry generates over $200 billion in annual revenue in the United States alone.
The protection most people assume exists — that their health information is private — is real, but narrower than it sounds. HIPAA only covers "covered entities" (hospitals, clinics, insurers) and their "business associates." It does not cover the downstream buyers of that data once it has been stripped of the identifiers HIPAA considers protected.
Under HIPAA's "Safe Harbor" standard, health data is considered de-identified — and therefore freely sellable — once 18 specific identifiers are removed: name, address, phone number, Social Security number, and so on. Once those are gone, it's no longer "Protected Health Information" under the law, and it can be sold to anyone.
The problem is that de-identified data is not truly anonymous. A landmark study by Latanya Sweeney found that 87% of Americans can be uniquely re-identified using only three data points: ZIP code, date of birth, and sex. More recent research puts the re-identification rate for "anonymized" health records even higher when cross-referenced with commercial data brokers' existing profiles.
In practice, data brokers already have rich profiles on most adults. Adding de-identified health data to a profile that includes shopping history, location data, and social media activity is often enough to reconstruct exactly who the record belongs to — including their diagnoses, prescriptions, and treatment history.
Most health data — a prescription for a cholesterol medication, a visit to an orthopedist — is sensitive but relatively benign in what it reveals. Mental health data is different. Therapy notes contain diagnoses, trauma histories, relationship disclosures, medication status, and the kind of personal detail that clients share only because they believe it will never leave the room.
That data has demonstrable consequences when it escapes the clinical relationship. Insurance companies use mental health history in underwriting and claims decisions. In custody disputes, therapy records have been subpoenaed and used against the very clients who sought treatment. In some states, mental health records can be accessed by law enforcement without a court order under broad public safety provisions.
This isn't theoretical. A 2023 report from Duke University found that 11 of 37 data brokers contacted were willing and able to sell mental health data outright — no meaningful buyer verification required. The data on offer linked diagnoses like depression, bipolar disorder, and anxiety to names, home addresses, credit scores, and net worth. One broker told the researcher that buyers could "use the data freely." Prices started at $275 for 5,000 records.
When you use a cloud-based therapy notes platform, your session data leaves your device and lives on their servers. The platform signs a Business Associate Agreement with you — which many therapists treat as a guarantee of privacy. It isn't. A BAA establishes that the vendor is permitted to handle your clients' PHI (Protected Health Information). It does not prevent them from using that data for their own purposes within the bounds of HIPAA — which are broad.
Most cloud platforms' Terms of Service include language permitting them to use aggregated or de-identified data for "product improvement," "research," or "analytics." In practice, that often means using session transcripts to train or fine-tune AI models — including the same AI models they sell back to you as a feature.
In 2023, the FTC brought action against BetterHelp for sharing users' mental health data — including the fact of therapy enrollment — with Facebook and Snapchat for advertising targeting. BetterHelp paid a $7.8 million settlement. That same year, Cerebral disclosed that it had been sharing sensitive mental health information with Meta, Google, and TikTok via tracking pixels embedded in its platform. These weren't rogue actors operating outside the norm — they were among the largest mental health platforms in the country.
The incentive structure of cloud-based software pushes toward this. When a company's data is its most valuable asset, the pressure to monetize it — subtly, legally, and in ways that don't trigger immediate outrage — is constant.
Any data stored on a server can be subpoenaed. A valid court order compels a company to produce whatever records they hold — and companies with servers full of therapy data have to comply. The critical difference: when your data lives on a platform's servers, that subpoena goes to them. You may not be notified in time to respond, assert privilege, or seek legal counsel on your client's behalf. The decision about what gets handed over happens without you.
When your data lives only on your own device, a subpoena has to come to you directly. You remain in control. You have the opportunity to respond, consult an attorney, and advocate for your client — the same way you would with paper records.
There is also the breach problem. The Change Healthcare cyberattack in February 2024 — the largest healthcare data breach in US history — exposed the records of over 100 million Americans. Medical histories, mental health diagnoses, prescriptions, and insurance information were stolen and, in many cases, published. The company had signed BAAs with thousands of healthcare providers. None of that prevented the breach, because all of it was stored in one place.
There is no subpoena that can compel data that doesn't exist on a server. There is no breach that can expose data that never left your device.
Confidant runs entirely on your device. Your session recordings, transcripts, and notes never leave your device — not to our servers, not to any third party. We have no backend that stores client data, which means there is nothing for us to sell, nothing to breach, and nothing to subpoena.
We can't sign a Business Associate Agreement with you, because we are not a Business Associate under HIPAA — we never touch your clients' Protected Health Information. What you record and write stays on your computer, encrypted at rest, under your control.
We are also a company with no investors and no outside pressure to monetize anything. With no client data and no subscriptions, there will never be anything here worth acquiring — which was the point from the beginning. Our friends in the business world told us as much. They were right, and we built it anyway.
You can verify all of this by turning off your wifi. Confidant works exactly the same.
Questions about how Confidant handles data? or read our Privacy Policy.