2024 saw a surge in regulatory actions targeting privacy, largely towards poor data protection practices including that of consumer health data. The FTC ramped up enforcement fines and complaints against companies for mishandling sensitive healthcare data, including a $7 million fine against Cerebral mental health platform. President Biden issued an Executive Order that prompted the DOJ and CFPB to propose increased regulations for data brokers with a significant focus on collecting health and location data.
As 2025 approaches, a new U.S. administration is set to take office, bringing the potential for shifts in federal regulation and enforcement strategies. While leadership transitions may temporarily slow federal actions and reshape the legislative agenda, growing consumer awareness around privacy, expanding state-level regulations, and their downstream impacts are expected to drive significant changes in healthcare privacy.
2025 is going to be a VERY active year for privacy compliance. Here are some of our predictions to help prepare.
Customer Demands for More Health Data Privacy
A recent Cisco study on privacy awareness released in 2024 found that 81% of U.S. respondents support a federal privacy law, and 38% are now “Privacy Actives,” meaning they’ve actually stopped working with a company over data-sharing concerns. This is a 15% increase from 2023. This shift may be partly driven by increased media coverage of issues like the evolving TikTok ban and national security risks, which have highlighted questionable data collection practices. Additionally, state restrictions on types of treatment, like reproductive care, have amplified concerns about the collection, protection, and misuse of health and location data. An expanding regulatory environment and heightened government attention to healthcare privacy have further elevated public awareness of these issues.
This awareness is expected to grow, putting pressure on healthcare organizations to implement stricter privacy practices or risk losing customers and getting fined. Companies that proactively strengthen their privacy measures can not only maintain trust but also gain a competitive edge in an increasingly privacy-conscious marketplace.
Stricter Controls on Data Brokers and National Security Concerns
One of the key privacy efforts in 2024 was regulating how data brokers use health data. Data brokers pose not only a privacy concern, but also a national security risk as the data is robust, easy to buy, and can easily be misused by foreign adversaries, as well as illegal domestic activities including scams and blackmail.
With recent actions by the DOJ and CFPB targeting data brokers and the FTC bringing complaints this month against Gravy Analytics and Mobilewalla for their unauthorized collection of sensitive location data, there’s significant momentum behind tightening controls on data brokers. These moves are rooted in recognizing that unregulated access to private information—especially health data and location data—can lead to national and domestic security risks. Health data is particularly vulnerable to misuse, such as scams, blackmail, and other malicious activities, making it a prime target for regulation.
In 2025, stricter controls on health data handling by third parties, particularly data brokers, will continue. Businesses, especially in healthcare, will likely need greater transparency and more substantial data protection practices to comply.
Stricter Cyber Insurance and Privacy Standards
Cyber insurance will become more stringent regarding privacy benchmarks, particularly for healthcare organizations. With the rise in demand letters, class action lawsuits, and privacy breaches, healthcare companies and their insurers must prepare for increasing risks of noncompliance in an expanding regulatory environment. Healthcare organizations are now subject to a growing patchwork of regulations, including state-level health-focused laws such as California’s CMIA and Washington’s My Health My Data, along with state comprehensive privacy laws, federal consumer protection laws, and HIPAA. As it stands, a fine from one regulatory agency could trigger additional lawsuits or fines from others, amplifying both financial and reputational risks. In response, insurers are likely to require more comprehensive privacy audits and benchmarks to offer affordable coverage.
Increased State Regulatory Actions and Fines
In 2024, states like Oregon, Texas, and Montana implemented new privacy laws, and eight additional states are scheduled to follow suit in 2025. Many of the laws introduced in 2024 included “right to cure” periods, giving companies time to address violations before penalties will be enforced. As these grace periods expire, we anticipate an uptick in enforcement actions under these new laws. As mentioned above, state laws multiply, and businesses will face growing challenges in meeting diverse requirements, increasing the risk of violations and associated fines. This underscores the importance of proactive compliance measures from healthcare organizations to avoid costly penalties in the coming year.
Continued Scrutiny of Data Collection Practices
In 2024, momentum around cases involving Meta’s use of tracking pixels on healthcare sites appeared to slow. Still, we’ve seen some attention shift to other pixels, like LinkedIn’s pixel, with three healthcare companies sued in September over its data collection practices. Meanwhile, other analytics tools and the websites deploying them continue to face wiretapping allegations. These lawsuits are expected to persist as many of the underlying issues remain unresolved and are still working their way through the courts. Healthcare organizations should reconsider using these tracking pixels on any pages that include patient intake forms, booking tools, and pages that can collect symptom and diagnosis information.
To Conclude
As public privacy concerns grow and new laws take hold, healthcare organizations must strengthen their data protection practices, enhance transparency, and ensure compliance with increasing state privacy laws to stay ahead. To do this, these organizations need to upgrade their monitoring and detection capabilities, so they are able to discover privacy risk in as close to real-time as possible, and obviously well before a regulator or class-action plaintiff approaches!
Companies that fail to do so risk financial and reputational damage, not to mention the loss of trust from an increasingly privacy-conscious public.
2025 will be a very active year, so get ready!
Ian Cohen
Ian Cohen is the CEO of LOKKER.
