[crumpled]

If the data is managed by a company that isn't in the healthcare industry, HIPPA doesn't apply. An insurance company, even a health insurance company can purchase non healthcare data from an analytics company.

It wasn't HIPPA protected when it was on my heritage, and it won't be healthcare data when it's eventually leaked and resold.

If you don't think legitimate companies are interested in buying that data, look around at the market for our password breach and identity theft data. There's a brisk, legal trade.

[slg]

I never mentioned HIPAA in the context you are implying. I was simply saying it won't protect the malicious actors from being discovered.

> look around at the market for our password breach and identity theft data. There's a brisk, legal trade.

If it is so easy to acquire this data legally, do you want to point to a business from which one can legally purchase "identity theft data"?

[crumpled]

I read about a "threat intelligence" company on here the other day who got hacked for all their breach data. Not all of it is super public, and none of the public dumps are in a tidy package where you can associate users in one breach with users in another breach. Sorry I couldn't find the name of the company.

But there are more than a handful of "threat intelligence" or OSINT providers. I'll let you Google it for yourself.