When seeking a COVID-19 test, many Georgetown students turn to the free, on-campus option provided by the university through the primary care service One Medical. Amazon’s July acquisition of One Medical—with its 790,000 total users—has sparked worry among Georgetown community members about medical data security.
“I definitely do think this raised concerns about data privacy because we use One Medical often,” Prisha Punjabi (COL ’25) said.
Amazon has amassed large amounts of personal data—financial details, addresses, comprehensive ad preferences—and now, with the acquisition of One Medical, health data. Despite claims of regular audits and attentiveness to user privacy, the company has been accused of valuing growth over privacy by former high-level information security employees.
“I would hope that whatever information is leaked to Amazon would be as minimal as possible but still necessary—if it is necessary at all,” Christina Landau (COL ’25) said.
The Federal Trade Commission (FTC) is currently investigating Amazon’s acquisition of One Medical, which could delay the closing of the deal. This investigation is partially due to calls from supporters of stricter antitrust regulations urging the FTC to stop the deal altogether.
Meg Leta Jones, an associate professor in the Communication, Culture & Technology program at Georgetown, sees Amazon’s venture as part of a profit-increasing strategy and does not necessarily have concerns about data privacy.
“Amazon is definitely buying One Medical to make money, but I do not think Amazon has any plans to violate the law,” Jones said. She pointed out that health privacy laws, like the Health Insurance Portability and Accountability Act (HIPAA), regulate companies like One Medical.
“One Medical operates under [U.S.] health privacy laws. Amazon and its data do not, so that relationship will have to sort out which data stays on one side of the fence that gets a certain kind of treatment and which data stays on the other side and gets another,” Jones said.
Despite significant concerns surrounding Amazon’s ownership of One Medical, the university claims that it will protect students’ data privacy.
“The university complies with all applicable privacy laws and regulations relating to its collection, use, and maintenance of personally identifiable information, including health information of members of the Georgetown community and is committed to having companies that provide services to Georgetown for its faculty, staff, and students do the same,” a university spokesperson wrote to the Voice.
Despite these assurances, the acquisition feels particularly sensitive now. Since the overturn of Roe v. Wade earlier this year, new health data privacy concerns have emerged. Used by about a third of all women nationwide, menstrual tracking apps allow users to track cycle dates, the use of birth control, and other sensitive data such as geolocation.
“It is really infringing on your privacy in a way it shouldn’t be because, especially when it comes to menstrual stuff and abortion,” Punjabi said. “I definitely think it’s a step backward.”
These apps failed to store data securely even before the overturn of Roe v. Wade, with reports of the apps being used to target users with certain advertisements or to determine insurance coverage or loan rates.
“This all feels very new, but that data was not private or secure before, and it is not now either. It is now just relevant to a procedure that you may not have a right to anymore,” Jones said.
A team testing health apps for the U.K.’s National Health Service found that 84 percent of the 25 most popular period-tracking apps share data with third parties. Consumer Reports evaluations revealed apps such as Flo and Period Tracker are among those that do not maintain users’ privacy securely.
Even if individuals who use period-tracking apps delete them, their data may have already been collected and shared, leaving many feeling disappointed at the lack of privacy within these apps.
“I feel like whenever you put something on the Internet that we should have the right to still keep it private, and it should not go any further than where you are putting that information,” Landau said.
In a post-Roe world, the protections provided by HIPAA are under fresh scrutiny, with many pushing for adjustments to better address technological advancements. Currently, HIPAA applies to “covered entities” like healthcare plans and providers (including One Medical) but is limited to domestic providers and does not cover all internet activity.
In an effort to establish stricter health data privacy laws, Rep. Frank Pallone introduced the American Data Privacy and Protection Act (ADPPA) earlier this summer, a bill designed to establish requirements for how companies handle personal data and minimize the amount that companies collect.
Companies would only be allowed to collect data if the reason for doing so fell under one of 17 categories outlined in the bill, including completing transactions and fraud prevention.
Under the ADPPA, companies would need explicit consent from consumers before targeting them with advertisements. It would also require companies to implement security practices to keep personal data away from unauthorized viewers.
“It has a lot of features that would push companies to minimize the amount of data that they have,” Jones said. “Which does two things: It pushes for software [to support data-minimizing internal structures], and it pushes companies to have different kinds of business models.”
Despite not banning targeted advertising in its entirety, the bill would impose stricter limits than any law thus far. The current version of the ADPPA received a fair amount of bipartisan support, with the House Commerce Committee advancing it by a 53-2 vote, making data privacy advocates hopeful that it or a similar bill will pass soon.
Jones stressed that data privacy—like many issues—is one where progress will only be made if consumers advocate for it.
“We have procedures that law enforcement are supposed to go through to get access to data. The problem is that those hurdles are not high enough,” Jones said. “Push your representatives to pass ADPPA or a bill like that.”