As the health tech industry continues to grow—valued at $908.5 billion in 2023 and projected to hit $3.1 trillion by 2033, according to Allied Market Research—so does the amount of patient data floating around.
But many of the companies on the market right now, from smartwatch and AI scribe developers to primary care companies, sell relatively similar products. And in a competitive market like healthcare, that means they aren’t all going to survive. Global information company Health Tech World reported that 90% of health techs eventually fail.
Forward, for example, was a primary care startup that offered virtual appointments in health pods around the country. The company’s abrupt end in November 2024 (it had launched in 2016 and raised $650 million over the course of its life) sparked concerns about closing procedures, as patients had a hard time retrieving their health records and maintaining access to prescriptions, Fierce Healthcare reported at the time.
Experts told us what might happen to a patient’s data if a company unexpectedly folded and what safely shutting down looks like.
Regulations. There are limited regulations on patient health data. Currently, 20 states have instituted some rules—including Washington’s My Health My Data Act, which allows patients to delete data and prevents the sale of it without patient permission. But protection often comes down to user agreements, which most people (91% of 2,000 surveyed adults in a Deloitte survey) don’t read.
In these user agreements, there may be information about how patient data will be handled if the company is sold or merged, Ron De Jesus, field chief privacy officer at data privacy company Transcend, told Healthcare Brew.
“I actually haven’t seen a lot of companies say ‘If we fold, here’s what happens,’” he said.
Take for example the March bankruptcy of family ancestry company 23andMe, which stored DNA data on behalf of its 15 million users. After filing for Chapter 11 bankruptcy, the company pointed to its privacy policy and promised it would not share customer data, according to CNN.
“We expect the court-supervised process will advance our efforts to address the operational and financial challenges we face, including further cost reductions and the resolution of legal and leasehold liabilities,” Mark Jensen, chair and member of the special committee of the board of directors at 23andMe, said in a release at the time.
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
However, the privacy statement also says 23andMe could transfer its customers’ personal information if the company is sold or files bankruptcy, and those customers “can’t protect their data from being accessed, sold, or transferred as part of that transaction,” the Harvard Gazette reported.
With the company facing $214.7 million in debt, customers jumped to protect their information soon after the bankruptcy announcement, flooding 23andMe’s website to delete their data before it could be sold off.
Best practices. Alongside limited regulation, there’s also been a rise in artificial intelligence use in healthcare, including a burgeoning market where patient information is used to train models and build products.
In light of this, companies should have secure data infrastructures and safety policies, Pat McGloin, managing director of health and life sciences at health advertising company Merge, told us.
Prior to coming out with a product like a wearable, he said, companies should make sure that at their core, they have solid encryption to make data unreadable, access controls that limit who has permission to see data, and other standard operating procedures in place.
But right now, security controls vary depending on the company, De Jesus said. For example, some companies may encrypt health information, but not personal information like names and email addresses, he said.
There are also best practices for deleting data, De Jesus added, including providing a 30-day buffer before the company overwrites sensitive information, which means replacing what’s on the storage device with new data. This gives the company time to review the data and make sure it isn’t needed for litigation or other reasons.
“It is a process,” he said. “Firstly, revoking access, and then eventually deleting the data per review cycle and making sure that we’re not deleting it if it’s subject to other policy requirements.”
It’s also important to minimize the data that gets stored, McGloin added.
Rapid response plans are important, he said, because “if there is a data breach or there is a hack or a company does fold, you have that data encrypted so that it’s protected and not easily accessed by outside parties.”