Grindr breach reveals inadequacy of digital age privacy regulations

A man uses a smartphone in New York City, in this picture taken November 6, 2013. Twitter Inc raised the top end of its IPO price range by 25 percent and will close its books a day early, signaling strong demand for the most closely watched Silicon Valley debut since Facebook Inc last year. REUTERS/Mike Segar (UNITED STATES - Tags: SCIENCE TECHNOLOGY BUSINESS TELECOMS) - TM4E9B60XZA01

Grindr, the dating platform primarily used by gay, bisexual and transgender men is under heavy scrutiny for sharing its users’ HIV status with third parties. Unlike the privacy breaches common in the past, this unique incident breached the sensitive medical data of millions of users without any clear legal repercussions for the vendor. The consequences go well beyond the unwanted exposure of private data. By eroding the trust of our most vulnerable communities, this incident sets back the outreach efforts and will result in medical harm to members of the LGBT community in the long run. The breach also highlights the weakness of our current privacy laws and calls for a serious review and revision of our outdated regulations.

Fortunately, the immediate privacy threats that could result from this breach are minimal if not absent. Contrary to the common belief, large volumes of medical data by themselves lack any value to outsiders. I have previously debunked this myth: there is no black market for your medical data on the dark web. Hackers are not curious to know a random person’s medical condition, but they are looking to monetize credit card and social security numbers quickly and easily. Only your family members and close circle of friends would be interested in your medical data, which are still unavailable to them at this time. There is no need to worry about this breach unless you are a celebrity or a politician.

Although this incident may not seriously undermine the privacy of users, it will severely damage their trust in Grindr and other similar applications. This lack of trust will set back the current efforts by Grindr and other parties to help the LGBTQ community. Grindr’s decision to send HIV test reminders is a good example of such outreach efforts. Although the cure of HIV does not exist yet, patients can stay healthy for many years as long as their disease is controlled and managed with antiretroviral drugs. To control their disease, medication adherence and routine HIV testing are vital for HIV patients. Testing reminders could be a significant help for them to follow up with their medical care and better manage their care. With the current revelations, it is unlikely that patients continue to share such information and therefore would not be able to receive services that in some cases could be lifesaving.

Finally, Grindr data breach is a wakeup call for policymakers to revisit and revise privacy regulations, specifically the Health Insurance Portability and Accountability Act (HIPAA). Since 1996, HIPAA has governed the patient privacy and protection of private medical information. Back then, policymakers did not foresee situations in which sensitive medical data is shared with a platform that is not involved in medical care. Therefore HIPAA only covers medical providers and their business associates and does not pertain to platforms such as Grindr.

Had a similar breach happened at a hospital, the Department of Health and Human Services (HHS) would immediately start a thorough investigation, fine the hospital, and ensure that adequate policies are in place to prevent breaches in future. My research on the effectiveness of the law shows that it has protected the privacy of millions of patients over the recent years. To protect the privacy of American people, we should update our laws and adapt to the new digital age. It is now time for us and to expand the reach of HIPAA to include other types of organizations that have access to medical data.