The FreeStyle LibreLink app embeds three third-party tracking libraries: Google CrashLytics, Google Firebase Analytics, and Adobe Experience Cloud. Adobe Experience Cloud is a comprehensive marketing analytics platform that tracks user behavior, segments audiences, and enables targeted advertising — far beyond crash reporting or app performance monitoring. Embedding a marketing analytics suite in a medical device companion app means health-correlated usage patterns (e.g., glucose alarm frequency, scan patterns) flow to Adobe's servers.

Exodus Privacy analysis found Facebook SDK, Google Analytics, Adjust, and AppsFlyer trackers embedded in the Calm Android app. The Facebook SDK transmits app usage events to Meta's advertising infrastructure -- meaning your meditation sessions, sleep stories accessed, and anxiety management exercises are potentially feeding Facebook's ad targeting system. Adjust and AppsFlyer are mobile attribution platforms that track which advertisements brought you to the app and monitor your in-app behavior for advertising optimisation. Calm's privacy policy permits sharing data with "analytics providers," "advertising networks," and "business partners." A person who downloads a meditation app because they're struggling with anxiety is generating advertising data for the company that profits from anxiety-inducing social media. The meditation app and the anxiety machine share the same data pipeline.

Russian hackers linked to the REvil ransomware group stole 9.7 million Medibank customer records in October 2022. The stolen data included not just names, dates of birth, and Medicare numbers, but detailed health claims data: specific medical procedures, diagnoses, and treatment histories. The hackers published the data on the dark web in batches, sorting victims into categories they called "good-list" and "naughty-list." The "naughty-list" contained the most sensitive records: abortion procedures, mental health treatment, HIV status, drug and alcohol rehabilitation. Patients who had sought treatment for the most stigmatised health conditions -- conditions they may not have disclosed to family, employers, or partners -- had their medical histories published on the internet, sorted by how damaging the information was. Medibank refused to pay the ransom, citing advice from cybersecurity experts that payment wouldn't guarantee data deletion. The decision was defensible. The consequence was that millions of Australians' most intimate health secrets were published permanently.

In February 2024, the ALPHV/BlackCat ransomware gang attacked Change Healthcare -- a subsidiary of UnitedHealth Group -- causing the largest healthcare data breach in US history. Over 100 million patient records were exposed, including: diagnoses, medications, treatment plans, Social Security numbers, insurance details, and financial information. The attack was possible because multi-factor authentication (MFA) was not enabled on the compromised Citrix remote access portal. A $400 billion healthcare company did not enable MFA on a critical system. UnitedHealth CEO Andrew Witty testified before Congress that the company paid a $22 million ransom. The attack caused nationwide healthcare disruption: pharmacies couldn't process prescriptions for days, hospitals couldn't file insurance claims, and small medical practices faced bankruptcy from cash flow interruptions. The single point of failure for American healthcare lacked a basic security measure that most email accounts require.

The FTC fined GoodRx $1.5 million in February 2023 -- the first enforcement action under the Health Breach Notification Rule -- for sharing prescription drug data with Facebook, Google, and other advertising companies. GoodRx embedded the Facebook Pixel and Google Analytics on its website and app, transmitting: which medications users searched for, which prescriptions they purchased, and their associated health conditions. A user searching for Truvada (HIV prevention) had that search sent to Facebook. A user filling an antidepressant prescription had that purchase sent to Google. GoodRx's website included a page titled "HIPAA" that implied the company followed HIPAA protections -- but GoodRx is not a HIPAA-covered entity and was never bound by HIPAA. The page created a false impression of medical-grade privacy while prescription data flowed to advertising platforms. The FTC imposed a 20-year prohibition on sharing health data for advertising.

In January 2018, Stockholm's Södersjukhuset hospital reported that 37 women who used Natural Cycles as their primary contraception had sought abortions after unintended pregnancies over a four-month period. Sweden's Medical Products Agency (MPA) launched an investigation. Natural Cycles argued the pregnancies were within the app's stated typical-use failure rate of 7% -- meaning for every 100 women using the app for a year, 7 will become pregnant. The UK Advertising Standards Authority (ASA) banned Natural Cycles' advertising in August 2018, ruling that ads claiming the app was "clinically tested" and "highly accurate" were misleading. The ads did not adequately communicate the failure rate. The app was marketed on Instagram and Facebook to young women as a lifestyle product -- "hormone-free, empowering, natural" -- rather than as a medical device with a meaningful failure rate. The FDA clearance was for a De Novo classification, a lower regulatory bar than Pre-Market Approval.

The Washington Post reported in 2019 that Ovia offered employers access to aggregate employee reproductive health data through its employer wellness program dashboard. Employers including Walmart, Google, and Bank of America could see anonymised data about their employees' fertility struggles, pregnancy complications, miscarriage rates, and postpartum depression indicators. The employer dashboard displayed data on specific conditions including "ichthyosis, listeriosis, and autism" among the employee population. While framed as "aggregate" and "anonymised," reproductive health data from a small team is inherently identifiable -- if one employee on a team of 15 is visibly pregnant and the dashboard shows pregnancy complications, the connection is obvious. Ovia was acquired by Labcorp in 2021, making employee reproductive health data a subsidiary of one of the largest clinical laboratory companies in the United States. Your employer's wellness benefit sends your pregnancy complications to a company that also processes your lab results.

Ancestry holds approximately 20 million DNA samples -- the largest consumer genetic database in the world. In 2020, Blackstone, one of the world's largest private equity firms, acquired Ancestry for $4.7 billion. DNA data is now a private equity asset. Private equity firms optimise for returns on investment, not privacy stewardship. Every DNA sample contains information about the donor and all of their biological relatives -- people who never consented to having their genetic data in a private equity portfolio. Ancestry's database, combined with its 30 billion+ historical records and family tree data, creates the most comprehensive genetic and genealogical dataset outside of government control. A private equity firm now controls the biological identity of 20 million people and the family connections of hundreds of millions more. Your DNA cannot be changed. If Blackstone sells Ancestry, your permanent biological identity transfers to the buyer.