AI Health Data Privacy Risks and How to Protect Yourself

Name: The Privacy Expert's Confession: Health Data in the Age of AI | Jackie Kimmell, MSx ’26
Uploaded: 2026-04-03T20:24:58.774288+00:00
Duration: 10 min 43 s
Channel: Stanford Graduate School of Business
Description: Summary and key takeaways on AI Health Data Privacy Risks and How to Protect Yourself, covering The Personal Dilemma People often turn to large language models

Stanford Graduate School of Business

Apr 03, 2026

•

10 min video

•

2 min read

YouTube video ID: -k5BxnTGsvQ

Source: YouTube video by Stanford Graduate School of Business — Watch original video

PDF

People often turn to large language models to interpret lab results because traditional healthcare can feel slow or confusing. The speaker, despite authoring a book on health‑data privacy, admitted to uploading personal lab results to an AI portal, saying, “I had just put my own protected health information into a completely unprotected portal.” Roughly 40 million users per day ask ChatGPT health‑related questions, illustrating the scale of this impulse.

The Scope of the Problem

Health‑data hacking has become commonplace. In 2024, three in four Americans experienced at least some form of health data breach, and about 50 % of the population is expected to have data hacked annually. Medical identity theft imposes a heavy burden—on average it takes 200 hours and $14,000 to resolve. Data brokers compile and sell lists based on conditions such as HIV/AIDS, depression, or weight‑loss goals, and companies like GoodRx, BetterHelp, Hims, and Hers have been cited for selling user data to advertisers.

The AI Factor

HIPAA, passed 30 years ago, was designed to protect information within formal healthcare systems and never applied to digital health apps or AI tools. Today, AI companies are launching features that integrate directly with personal health records, while privacy policies remain fluid. Companies may alter terms of service or even sell data during bankruptcy, as seen with 23andMe. Some AI firms, such as Anthropic, are reportedly pulling back on internal privacy safeguards to stay competitive in the “AI arms race.” The speaker warns, “The cat is out of the bag when it comes to our healthcare data privacy.”

Navigating the Future

To mitigate risk, users should exercise rights under state privacy laws—California, for example, allows individuals to access or delete collected data. Before linking medical records to an AI, consider potential consequences for employment, security clearances, and legal exposure, including subpoenas for reproductive‑health information. Safer practices include redacting identifying details or asking questions in general terms rather than providing exact lab values. The speaker advises, “If you do end up connecting to your medical record, slow down.” Ultimately, a new societal paradigm is needed that supports victims of data breaches rather than attempting to lock all data down, because “the kicker is most of your data is already out there. So if you use these tools, at least you get some upside.”

Takeaways

About 40 million people per day use AI chatbots like ChatGPT for health queries, often uploading sensitive personal information.
Three‑quarters of Americans faced health‑data hacking in 2024, and medical identity theft typically costs $14,000 and 200 hours to resolve.
HIPAA does not cover digital health apps or AI tools, allowing companies to sell or change data use policies without patient consent.
Users can reduce exposure by invoking state privacy rights, redacting details, and avoiding direct connections between AI and electronic medical records.
A broader societal shift is required to support victims of data breaches rather than trying to keep all health data locked away.

Frequently Asked Questions

Why does HIPAA not protect data shared with AI health tools?

HIPAA was created 30 years ago to safeguard information within formal healthcare settings and does not extend to digital health apps or AI platforms, leaving user data vulnerable to collection, sale, or policy changes by those companies.

How can individuals reduce privacy risks when using AI for health queries?

Individuals can invoke state privacy statutes to request deletion of their data, avoid uploading exact lab results, use generic phrasing, and refrain from linking AI directly to electronic medical records, thereby limiting exposure to employment, security‑clearance, or legal repercussions.

Who is Stanford Graduate School of Business on YouTube?

Stanford Graduate School of Business is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.

Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.

Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.

Paper Shredder For Home Office Use Recommended

A paper shredder helps destroy physical medical documents containing sensitive information, preventing identity theft and unauthorized access to personal health records.

Amazon →

Fireproof Document Safe For Home

A fireproof safe provides a secure, offline location to store physical medical records and sensitive health documents, keeping them out of reach of digital data brokers.

Amazon →

Privacy Screen Filter For Laptop

A privacy screen limits the viewing angle of your monitor, preventing others from seeing sensitive health data or AI interactions while you are working in public spaces.

Amazon →

Links may be affiliate links. We only include resources that are genuinely relevant to the topic.

Summarize another video

Full Transcript YouTube

A few weeks ago, I got home in a rush.
Hurtling into my apartment, I sat down
on the sofa, opened my computer to an
email I just received. Lab results from
a blood test. I was instantly confused
by a list of biomarkers, colors, sliding
scales. Of course, red wasn't good, but
how bad was it? And what if I was just
outside the range? I wanted immediate
answers. So, without thinking, I
downloaded the PDF, uploaded it to
Claude, and asked it, "Imagine you're my
doctor. What would you think?"
The answers were immediate. I felt like
I had a good sense of the results. I
asked a few clarifications and
eventually I walked away feeling pretty
pleased in myself. It wasn't until a few
hours later when it hit me. I had just
put my own protected health information
into a completely unprotected portal. My
lab and birth dates were now in an
amorphous cloud linked to my name.
What's worse, I wrote the book on
healthcare data privacy. No, actually, I
wrote a book on healthcare data privacy.
[applause]
I I wrote it five years ago and I should
know better.
With absolutely no judgment, raise your
hand if you've asked Chad GPT a question
about your health.
Now, keep your hand up if you put
potentially sensitive information into
an LLM.
You are in good company. Open AAI says
that 40 million people a day are asking
chat GPT questions about their health.
One in four users are asking it a week.
That's 230 million people, equivalent to
the sixth most populous country in the
world.
To be clear, I'm not judging. You heard
me. I am in your same boat. But I think
we need to have a frank conversation, us
hand raisers, about our healthcare data
privacy because the world is changing
rapidly and I don't want you to suffer
what I did getting hacked.
So, it's six years ago and I'm sitting
in a hospital. I have an IV in my arm
and iron is slowly infusing into my
bloodstream, burning as it does so. I
feel my phone buzz and I see an email
from United Healthcare. My data has been
hacked. They make it seem corporate and
minor, but a quick Google shows the
truth. Russian hackers are holding the
company ransom, and United does not want
to pay. So, all of our data goes into
the dark web where anyone can see it.
Any insurance company can price my rates
higher. My life insurance premium could
skyrocket. And any potential employer
could decide they don't want to hire me
because of my potential health costs.
I could be one of the hundreds of
thousands of people whose medical
identity gets stolen every year, which
not only means that I get fraudulent
bills and false information in my chart,
but takes on average 200 hours and
$14,000 to fix.
I feel furious
and vulnerable. So, I get a grant to
write a book on healthcare data privacy.
I interview 70 experts, take classes in
privacy law, talk to everyone I can. I
end up realizing that privacy is a
deeply personal choice. For some people,
the threat of their data being out
there, even if they're fully healthy, is
horrifying. For other people, they don't
really care. In fact, they might
appreciate advertising tailored to their
specific health needs. Now, I won't go
into too much detail about what I
recommended in the book. You can buy my
book on Amazon if you want me to reduce
my GSB loan. However, I will say I
walked away feeling like we could do
whatever we could and should do whatever
we could to strengthen health data
privacy protections.
But it's been five years since the book
and a lot has changed. First of all,
there's been 15 new state laws
protecting our consumer data, including
our health data. But the risk has also
grown. In 2024 alone, three in four
Americans had at least some health data
hacked. So, all of you have had your
data hacked. That quadrant over there,
congrats, you are safe. But not for long
because on average, half of Americans
will have at least some data hacked
every year. And while you're probably
imagining this, which does happen, it's
also this. It's companies like Good RX,
Better Help, Hims, and Hers selling our
data to big tech and advertisers. It's
also these big data brokers that are
compiling all of the data about our
health and selling lists every single
day of people with HIV, AIDS, people who
want to lose weight, people with
depression.
And then there's AI. AI makes
tremendously large data sets incredibly
valuable. And there are tools that can
help us understand our health, even if
not perfect, in new ways.
So,
what do we do now?
Well, I think the cat is out of the bag
when it comes to our healthcare data
privacy. In fact, I think we've had the
wrong focus. HIPPO was passed 30 years
ago with the idea that we can protect
data in the formal health care system.
It never applied to things like digital
health or tools. Now, that's clearly not
working. The formal health care system
is being hacked all of the time. And
those digital apps and tools that more
and more people are using, they have to
rely on consumer state laws to protect
them.
So, we end up in a situation where
things are going to get a whole lot
messier with AI.
You hand raisers, I just don't foresee
you stopping to use AI to answer
questions about your health. That
immediate impulse to get answers in a
system that's slow and confusing, that's
not going to go away. And the AI
companies know that, too. They're now
launching products so you can connect to
your health records and get better
answers because you have hundreds to
thousands of pages of proverbally of
your health data in your portal.
That means better answers. It also means
more risk.
So I reached back out to those privacy
experts and asked them what should you
do now? And everyone has a different
opinion. Some are using AI tools
themselves. Others told me to tell you
to stay as far away as possible. The
truth is people don't know the risks of
using AI with our data today. That's
because these models and the terms and
conditions are constantly changing.
You have companies that are storing
massive amounts of data, a cyber
security risk that we've never seen
before. And companies like Anthropic are
pulling back on internal privacy
policies because they don't want to fall
behind in the AI arms race. And then you
have the fact that AI companies can
change the terms and conditions at any
point. Companies have done this in the
past. Think of 23 and me which sold data
before it went bankrupt.
So all of this makes me want to ask you
a question. Are you making an informed
trade-off when it comes to using these
tools? Here's what you need to know. If
you're going to use an AI chatbot for
your health, know that that data is not
protected by HIPPA. It's protected by
state privacy laws. If you are in
California, you have a right to know
what's being collected, to access it,
and to delete it. Those rights are not
automatic. You have to exercise them.
Think carefully about the data that you
are going to put into those chatbots,
especially if you're going to connect to
your medical record. If you do end up
connecting to your medical record, slow
down.
Think about would you want a potential
employer to see the data in there? Are
you going to need security clearance at
some point? Pay extra caution to your
mental health status, HIV status,
reproductive health. Courts are already
sub subpoenaing chat records about
abortion, for instance.
Think about this. Can you redact the
information or ask in general terms
versus specific?
Most of this comes down to you. These
tools have tremendous power, but make a
conscious tradeoff to use them. And
consider it this way.
If you have a long conversation with
ChatGpt about your health, say things
that you're slightly ashamed of, and you
get an Instagram ad the next day that's
way too close to what you told it, are
you used to it or are you going to be
squeamish? That is your risk tolerance.
The kicker is most of your data is
already out there. So if you use these
tools, at least you get some upside.
As more of us use AI for our data and
more health information flows between
these tools, there's going to be more
breaches and there's going to be more
victims. I think we as a society need a
new paradigm.
Don't lock everything down, but support
the victims of health data privacy
breaches because I learned an important
lesson in the hospital and sitting on my
couch uploading those app uploading my
labs. The current system is not serving
us. We are hungry for answers
personalized to us. And so I would
upload my labs to claude again. But to
follow their catchphrase, I'm going to
keep thinking, and I hope you do, too.
[applause]