Chapter 13: Your Reproductive Data Isn’t Private
They Sold Your Secret for a Hundred and Sixty Dollars
In 2022, a journalist at Vice walked up to a data broker’s website, typed in a credit card number, and paid $160. For that price, the journalist received one week of location data covering more than 600 Planned Parenthood clinics across the United States. The data showed where each visitor came from, how long each visitor stayed, and where each visitor went afterward. The data broker, SafeGraph, had classified Planned Parenthood as a trackable brand and Family Planning Centers as a searchable category. Anyone with a credit card and an internet connection was able to do the same thing. No warrant. No subpoena. No judge. Just a credit card and a few clicks.
Stop and sit with that for a moment. Your visit to a reproductive health clinic, a visit you believed was private, a visit protected by the walls of a medical facility, was for sale. Your arrival time, your departure time, your home address, all of it bundled into a data set and offered to the highest bidder. And here is the part that should send a chill down your spine. This was perfectly legal under current laws.
This chapter is about the most intimate data you generate as a human being. Your reproductive health information. Your menstrual cycle data. Your pregnancy status. Your fertility treatments. Your clinic visits. Your search history when you type a question about your own body into Google at two in the morning. This is data so personal that most people assume federal law protects it. Most people are wrong.
Since the Supreme Court’s 2022 Dobbs decision overturned the constitutional right to abortion, reproductive health data has become the most legally vulnerable category of personal information in America. And the single federal rule designed to protect it lasted exactly eleven months before a Texas judge struck it down and the federal government walked away. What follows is the story of how we got here, who profits from the surveillance of reproductive decisions, and what you need to do to protect yourself and the people you love.
The Federal Protection That Vanished
In April 2024, the Biden administration published the HIPAA Reproductive Health Rule. The rule was the most ambitious federal attempt to shield reproductive health records from law enforcement. It prohibited hospitals, clinics, insurance companies, and other HIPAA covered entities from handing over protected health information in response to criminal, civil, or administrative investigations targeting someone for seeking, obtaining, providing, or helping with reproductive health care that was lawful in the state where it occurred. The rule covered abortion, contraception, IVF, fertility treatment, prenatal care, and gender affirming care. It required anyone requesting reproductive health records, whether law enforcement, a court, or an oversight agency, to sign a sworn statement declaring the request was not for a prohibited purpose.
The rule survived barely eleven months. On June 18, 2025, Judge Matthew Kacsmaryk of the Northern District of Texas vacated the rule nationwide. Kacsmaryk, the same judge who previously attempted to overturn FDA approval of mifepristone, ruled that HHS had exceeded its authority. The plaintiff was a Texas family medicine physician represented by the Alliance Defending Freedom. At least 17 states had filed challenges across four separate lawsuits. The Trump administration’s HHS declined to defend the rule. When the appeal deadline passed on August 18, 2025, no government lawyer filed an appeal. Proposed intervenors, including two cities and a physicians’ organization, attempted their own appeal and then withdrew it. The Fifth Circuit dismissed the case on September 10, 2025. The rule is permanently dead.
What remains is the original HIPAA framework, which permits covered entities to disclose your health information to law enforcement. It does not require disclosure. Your doctor still has the discretion to say no. HIPAA’s minimum necessary standard still applies, meaning providers should share only the minimum information needed to respond to a request. The American Medical Association, the American College of Obstetricians and Gynecologists, and the American Psychological Association all issued statements in late 2025 calling for protections of reproductive health records. None of those statements carry the force of law. The specific prohibition against disclosing reproductive health records for prosecution purposes no longer exists anywhere in federal law.
When Your Phone Testifies Against You
The cases are real. The names are public. The consequences were devastating.
In Mississippi in 2017, Latice Fisher, a Black mother of three, experienced what she described as an unexpected delivery that ended in a stillbirth. She went to the hospital seeking medical care. Police showed up. They asked for her iPhone. She handed it over voluntarily, the way most people would, believing she had nothing to hide. Investigators did not focus on medical evidence. They scrolled through her search history and found queries like “how to induce a miscarriage” and “buy Misoprostol Abortion Pill Online.” No physical evidence confirmed she ever took any medication. No toxicology report supported the prosecution’s theory.
The search history, the private questions she had typed into her phone in a moment of desperation, became the prosecution’s case. A grand jury indicted her on second degree murder charges carrying up to 40 years in prison. Fisher spent weeks in jail, separated from her children, before a second grand jury declined to indict in March 2020. Her life was upended because she searched for information on her own phone. Civil rights attorney Cynthia Conti-Cook described the case as a blueprint for how digital evidence gives prosecutors a window into a woman’s most private thoughts.
In Indiana in 2013, Purvi Patel was convicted of feticide based partly on text messages about ordering abortion pills from an overseas pharmacy and email exchanges with the supplier. A toxicologist found no trace of the drugs in Patel’s body or in the fetus. She was sentenced to 20 years in prison before an appeals court vacated the feticide conviction in 2016, marking the first time a state feticide law had been used against a woman for attempting her own abortion. In Idaho, police used cellphone geolocation records to track a visit to a Planned Parenthood in Oregon, then charged a mother and son with kidnapping for helping someone travel across state lines for an abortion.
According to Pregnancy Justice, prosecutors brought 210 pregnancy related criminal cases in the single year following the Dobbs decision, the highest number ever recorded in a single year. Charging documents increasingly cite “researching or exploring the possibility of an abortion” as evidence of criminal intent. The digital tools prosecutors rely on include search warrants for phone contents and cloud backups, subpoenas for subscriber records, geofence warrants demanding data on every device within a geographic area, and direct purchases of location data from commercial data brokers. That last category requires no warrant at all.
The Hundred and Sixty Dollar Surveillance Machine
The data broker pipeline targeting reproductive health clinics works through a chain most Americans never see. Hundreds of smartphone apps, from weather apps to games to prayer apps, contain embedded code called Software Development Kits from data brokers. These SDKs silently transmit your phone’s GPS coordinates, accurate to within ten feet, along with a unique Mobile Advertising ID that functions as a permanent digital fingerprint. Data brokers collect billions of these location pings every day and sell them to anyone willing to pay.
In October 2024, privacy researchers obtained a trial of Locate X, a surveillance tool sold to law enforcement by a company called Babel Street, simply by saying they planned to work with police. Using the tool, the researchers tracked a specific device from a home in Alabama to a reproductive health clinic in Florida and back again. They observed 700 unique phones at the clinic. Each device was traceable to its apparent home address. No warrant was required to access any of this information.
A company called Near Intelligence sold location data to an anti-abortion organization called the Veritas Society, which hired an advertising agency to draw digital geofences around reproductive health clinics and deliver more than 14 million targeted ads to people who visited those clinics across 48 states. Near’s own chief privacy officer admitted the company had no technical controls to prevent this kind of targeting. Another data broker, Mobilewalla, specifically collected location data from women at pregnancy centers to build audience segments labeled “pregnant women” for advertisers, pulling from real time bidding auctions that broadcast personal data hundreds of billions of times each day.
The FTC sued data broker Kochava in August 2022, its first lawsuit against a geolocation data broker, after Kochava’s data, covering 94 billion transactions per month across 125 million devices, tracked visits to reproductive health clinics. A settlement reached in late 2025 required Kochava to filter 2.1 million sensitive locations from its data sets.
Google announced in July 2022 that it would automatically delete location history entries near abortion clinics. A Washington Post investigation found the system failed roughly half the time, with the clinic name deleted in some cases and the route traveled still visible. Google made a more structural change in late 2023 by moving all location history to on device storage with a three month retention period and encryption for cloud backups, effectively ending its ability to respond to geofence warrants.
The Apps That Know Your Cycle Better Than You Do
More than 100 million women worldwide use period tracking and fertility apps to log their menstrual cycles, pregnancy status, sexual activity, fertility indicators, symptoms, and medications. This is some of the most intimate data a person generates. And almost none of it falls under HIPAA, because these apps are consumer products, not medical providers. They occupy a regulatory gap that leaves users exposed.
The FTC’s 2021 enforcement action against Flo Health proved just how exposed users were. Flo, one of the most popular period tracking apps in the world, had shared menstruation data, fertility data, and pregnancy data with Facebook, Google, AppsFlyer, and Flurry. Flo had promised users their information would stay private. The FTC’s consent order, finalized by a unanimous 5-0 commission vote, required Flo to obtain affirmative user consent before sharing health data, notify all affected users, and instruct third parties to destroy the improperly obtained data. It was the first time the FTC had ever required a company to notify its own users of a privacy enforcement action.
To its credit, Flo responded by launching an Anonymous Mode feature in mid 2022. This feature uses a technology called Oblivious HTTP through Cloudflare so that no single party holds both a user’s identity and their health data simultaneously. If law enforcement requests data on an Anonymous Mode user, Flo says it cannot fulfill the request because it does not have the information needed to connect anonymous data to a specific person.
Natural Cycles, a Swedish based FDA cleared contraceptive app, developed a similar Go Anonymous feature and stores user data within the European Economic Area under strict European privacy regulations. Clue, headquartered in Berlin, went further. Its co-CEOs publicly pledged they would never hand over private health data to any authority seeking to use it against their users, and stated that as a German company, no German court would permit such a request.
Not every app has reformed. Ovia, owned by diagnostics company Labcorp, sells data to employers’ human resources departments. Its terms of use grant the company a royalty free, perpetual, and irrevocable license, throughout the universe, to use and exploit de-identified user data. Ovia retains your data for seven years after you stop using the app. FEMM, a fertility tracking app with more than 400,000 downloads, is funded by the Chiaroscuro Foundation, a Catholic charity backed by conservative hedge fund manager and anti-abortion activist Sean Fieler, who sits on FEMM’s board. Two of FEMM’s medical advisors have ties to a Catholic university in Chile where abortion access is severely restricted. The app collects menstrual and sexual activity data from users who have no idea about the ideological commitments of its funders.
The safest choice among major apps is Euki, the only app to earn Mozilla’s Best Of rating. Euki stores all data locally on your device, collects no personal information, and includes a feature called a duress PIN. If someone forces you to open the app, entering 0000 displays false data. In Mozilla’s 2022 investigation of 25 reproductive health apps, 18 received the Privacy Not Included warning label. Only Euki and Natural Cycles avoided the warning.
No publicly documented case has so far involved a subpoena specifically for period tracking app data. The legal tools to compel that data already exist. Apps storing data in the cloud are subject to warrants and subpoenas under the Stored Communications Act. Data stored on a seized phone is extractable by forensic tools like Cellebrite and GrayKey, which recover deleted app data from internal databases until the data is overwritten. The potentially incriminating data points in a fertility app are significant. A logged pregnancy that suddenly disappears. A missed period followed by a resumption of regular cycles. Symptoms consistent with medication abortion. Location data showing a clinic visit. Each of these data points tells a story, and prosecutors know how to read it.
A Country Split in Two
With federal protection gone, state legislatures have become the front line of reproductive data privacy. The result is a patchwork so extreme that the same data point receives strong protection in one state and zero protection in the state next door.
Washington’s My Health My Data Act, signed in April 2023, is widely considered the strongest law in the nation. It created the broadest definition of consumer health data anywhere in America, covering reproductive and sexual health information, efforts to research or obtain reproductive services, and data derived or inferred from non-health information. That last category is critical, because it means an algorithm that infers your pregnancy status from your shopping patterns falls under the law’s protection. The law applies to any business regardless of size, covers data collected in Washington regardless of where the consumer lives, prohibits geofencing within 2,000 feet of health care facilities, and provides a private right of action with damages up to $25,000.
California has assembled the most layered package of protections through multiple statutes. AB 254, signed in 2023, reclassified period tracking apps and fertility websites as providers of health care, subjecting them to the same privacy standards as a doctor’s office. AB 352, also from 2023, requires electronic health record systems to include features restricting access to reproductive health data.
AB 1242, signed in 2022, prohibits California based communication companies from complying with out of state warrants for abortion services that are legal in California. And AB 45, signed by Governor Newsom on September 26, 2025 and effective January 1, 2026, bans geofencing within 1,850 feet of any family planning center and prohibits collecting, selling, or sharing personal information of anyone at or near those facilities. Violations carry penalties of $25,000 per violation, and the law gives individuals the right to sue for up to three times their actual damages.
Virginia provided a rare bipartisan moment when Republican Governor Glenn Youngkin signed SB 754 on March 24, 2025, effective July 1, 2025. The law prohibits obtaining, disclosing, selling, or spreading personally identifiable reproductive or sexual health information without consent. Its definition of protected data covers menstruation, pregnancy, contraception, fertility, sexual activity, and information derived or inferred from non-health data. It provides individuals the right to sue with minimum statutory damages of $500 per violation.
Six states now ban geofencing near health care facilities. Washington established a 2,000 foot radius effective July 2023. New York set an 1,850 foot limit effective July 2023. Connecticut imposed a 1,750 foot limit effective October 2023. Nevada followed with 1,750 feet effective March 2024. California added its 1,850 foot ban effective January 2026.
At the opposite end of the spectrum, states with total abortion bans and no reproductive data privacy protections include Alabama, Mississippi, Louisiana, Missouri, South Dakota, North Dakota, West Virginia, and Oklahoma. Idaho has a citizen enforcement mechanism allowing private civil lawsuits with $10,000 bounty rewards.
Texas, despite having a broad data privacy law, has the most aggressive enforcement posture. The Texas attorney general has sued a New York doctor for providing abortion pills to a Texas resident, testing whether shield laws in one state hold up against legal attacks from another. The data broker loophole means that even in states with strong shield laws, law enforcement in states with abortion bans is free to purchase location data showing your clinic visits without any warrant or judicial oversight. Montana became the first state to close this loophole in 2025, prohibiting law enforcement from purchasing data from brokers when they would otherwise need a warrant to obtain the same information.
The Federal Enforcer That Stepped Back
During the Biden administration, the Federal Trade Commission became the most active federal enforcer of reproductive data privacy, bringing a wave of cases that reshaped the rules for health apps and data brokers. Beyond the Flo settlement, the FTC brought the first ever enforcement of the Health Breach Notification Rule against GoodRx in February 2023, securing a $1.5 million penalty for sharing prescription and health data with Facebook, Google, and advertising platforms at the same time it displayed a fake HIPAA Secure badge on its website. A month later, the FTC reached a $7.8 million settlement with BetterHelp for sharing mental health intake data, including responses about depression and suicidal thoughts, with Facebook, Snapchat, and Pinterest. In May 2023, the agency penalized Easy Healthcare’s Premom ovulation app for sharing fertility data and GPS coordinates with analytics firms based in China.
That enforcement energy has evaporated. Under the current FTC chair, the commission operates with only two sitting commissioners, and leading privacy attorneys predict a dramatic pullback from the health data enforcement theories developed over the past few years. The amended Health Breach Notification Rule, which explicitly covers health apps and connected devices, remains in effect. New enforcement actions pushing the boundaries of health data privacy appear unlikely.
Congress has not stepped in. The My Body My Data Act, reintroduced in June 2025, would create a national standard protecting reproductive and sexual health data collected by apps, search engines, and other entities outside HIPAA’s reach. It has 22 co-sponsors from one party and zero from the other. It has not received a committee hearing. Federal legislation on reproductive data privacy is dead on arrival in the current political environment.
What Is Coming Next
The trajectory through 2027 points toward deeper fragmentation. At the federal level, the HIPAA rule is dead, the FTC is pulling back, and no new federal rulemaking on reproductive data privacy is expected. The administration proposed defunding Title X in its FY2026 budget and has restructured agencies that previously supported reproductive health research.
At the state level, the patchwork is growing. New York’s Health Information Privacy Act, vetoed by Governor Hochul in December 2025, was reintroduced in February 2026 with changes addressing the governor’s objections. If enacted, it would become the strongest state health data privacy law in the nation, covering reproductive data, location data, payment information, and health inferences. Virginia is advancing another bill to prohibit sales of precise geolocation data. Hawaii, Vermont, and New Hampshire are moving reproductive data bills forward. Legal analysts expect the pace of state health data legislation to accelerate through 2026 and into 2027.
The most significant legal development on the horizon sits at the Supreme Court. The Court has agreed to hear Chatrie v. United States, a case asking whether geofence warrants, which demand data on every device within a geographic area, violate the Fourth Amendment. The Fourth and Fifth Circuit courts of appeal split on this question.
A decision striking down geofence warrants would meaningfully protect people visiting reproductive health clinics. In Maryland, the state supreme court’s February 2025 decision in Moira Akers v. State overturned a conviction where internet searches about abortion had been used as evidence of criminal intent, setting an important precedent against weaponizing reproductive health search data.
The emerging frontier of risk is artificial intelligence powered behavioral inference. Modern algorithms already infer pregnancy from purchasing patterns, browsing behavior, and location data without any explicit health information being shared. You do not need to tell anyone you are pregnant. The algorithm figures it out from the supplements you buy, the websites you visit, the stores you walk into, and the changes in your daily routine. Researchers at the Harvard Petrie-Flom Center warned in November 2024 that AI’s ability to predict miscarriage or stillbirth risks becoming a surveillance tool, casting suspicion on women who suffer natural pregnancy losses.
A woman who has a miscarriage could find herself flagged by an algorithm that determined she was pregnant and then determined she was no longer pregnant, all without her ever telling a single person about her pregnancy. Wearable devices passively collecting skin temperature, heart rate variability, and sleep patterns reveal pregnancy status without any user input. Your smartwatch knows your body is changing before you confirm it yourself. The reproductive technology industry, projected to exceed $50 billion in revenue, generates enormous quantities of data that falls entirely outside HIPAA’s reach.
Protecting Yourself Starting Today
The law is fractured. The federal government has stepped back. Your state of residence determines whether your reproductive health data receives strong protection or no protection at all. And the data broker economy continues to collect, package, and sell your most intimate information every single day. Waiting for the legal system to fix this problem means waiting too long.
You need to take control of what is within your power right now. Use Signal with disappearing messages for any sensitive health conversations. Disable the Mobile Advertising ID on your phone, which is the tracking identifier that follows you from app to app. On an iPhone, go to Settings, Privacy, Tracking, and turn off Allow Apps to Request to Track. On Android, go to Settings, Privacy, Ads, and delete or reset your advertising ID. Leave your phone at home or power it off when visiting a reproductive health clinic.
Use a privacy focused browser like DuckDuckGo with NordVPn or the Tor Browser for any health research. Choose period tracking apps that store your data locally on your device, not in the cloud. Euki, Natural Cycles in anonymous mode, and Clue all offer stronger privacy protections than most alternatives. Use cash for reproductive health purchases. Keep your phone’s operating system updated, because newer software is significantly harder for forensic tools to crack. And talk to the people you love about these risks, especially your daughters, your sisters, your nieces, and your friends.
HIPAA covers roughly 10 percent of the entities that handle reproductive health data. Think about that number. Ten percent. Your doctor’s office, your hospital, your insurance company, these are covered. The other 90 percent, the period tracking apps, the search engines, the data brokers, the advertisers, the social media platforms, the wearable device manufacturers, they operate with little or no federal regulation. The fertility app on your phone knows more about your reproductive health than your doctor’s billing system, and it has far fewer legal obligations to keep that information private. More than 400 people faced pregnancy related criminal charges in the two years following the Dobbs decision. Digital evidence played a prominent role in case after case. The data trail you leave behind every time you open an app, search for a symptom, or walk into a clinic has become a weapon in the hands of prosecutors in states that have criminalized reproductive health decisions.
This is not a problem that will fix itself. This is not a problem that someone else will solve for you. This is a problem that requires every American to understand the risks, protect their own data, and demand that their elected representatives close the gaps that leave reproductive health information exposed. Call your state legislators. Ask them where they stand on reproductive data privacy. Ask them whether law enforcement in your state is allowed to buy your location data without a warrant. Ask them whether they support geofencing bans near health care facilities.
Make this a voting issue, because the people making these decisions are counting on you not paying attention. Your body is your own. Your health decisions are your own. And the data those decisions generate should be your own too.