Lawmakers Move to Block AI Labs From Selling Sensitive Health Data to Brokers
Table of Contents
Closing the AI Privacy Loophole
As generative AI transforms from a creative novelty into a diagnostic tool, a bipartisan push in Washington is attempting to ensure that the most intimate details of American lives don’t become commodities. Senators Elizabeth Warren (D-MA) and Ron Wyden (D-OR), alongside Representative Mary Gay Scanlon (D-PA) and Senator Bernie Sanders (I-VT), are introducing a modernized version of the Health and Location Data Protection Act specifically designed to curb the appetite of data brokers.
The updated legislation marks a significant shift from its 2022 predecessor. While the original bill focused primarily on the brokers themselves, the new framework targets the source: the companies collecting the data. Specifically, it seeks to prohibit AI labs and chatbot services from selling sensitive health and location information to third-party brokers—a practice that has historically flourished in the absence of a comprehensive federal privacy law.
The Race for Medical AI
The urgency of the bill stems from a sudden, aggressive pivot by AI giants toward the healthcare sector. In early 2026, the industry saw a flurry of activity aimed at converting LLMs into medical assistants. OpenAI launched “ChatGPT Health,” a specialized, sandboxed environment designed to encourage users to upload medical records and MRI scans. Anthropic followed suit with “Claude for Healthcare,” positioning it as a “HIPAA-ready” tool for both practitioners and patients.
Even more provocative was a public call from Elon Musk for users to feed their medical records into xAI’s Grok. While these companies frame these features as breakthroughs in personalized medicine, critics argue they are creating massive, centralized honey-pots of sensitive data. Under current U.S. law, the protection of this data often rests on the “honor system” of corporate privacy policies and terms of service, which can be changed unilaterally by the provider.
Enforcement and the FTC
The proposed legislation doesn’t just set rules; it attempts to fund the police. The bill would mandate the Federal Trade Commission (FTC) to establish clear regulatory guidelines within 180 days. To ensure these rules aren’t ignored, the legislation earmarks $1 billion for the FTC over the next decade to bolster enforcement capabilities.
Crucially, the bill expands the right to litigation. It would allow not only the FTC and state attorneys general to sue violators but would also grant a private right of action for affected individuals. This means users whose health data was illegally sold could potentially sue AI companies directly for damages, creating a powerful financial deterrent against data monetization.
“It’s more important than ever that we crack down on data brokers that are raking in giant profits from selling Americans’ most sensitive information,” Senator Warren stated, emphasizing that the move is a direct response to the increasing trend of users trusting AI chatbots with private medical queries.
The Gap in Federal Protection
The push for this bill highlights a persistent vulnerability in the American digital ecosystem. Unlike the European Union with its GDPR, the U.S. lacks a singular, overarching federal privacy framework. Instead, it relies on a patchwork of sectoral laws like HIPAA, which often doesn’t apply to consumer-facing apps or AI chatbots unless those tools are explicitly integrated into a clinical healthcare provider’s workflow.
By targeting the “sale” of data rather than just its collection, lawmakers are attempting to break the financial incentive for AI companies to leak user information into the broader data-broker ecosystem, where it is often repackaged and sold to insurers, marketers, or predatory lenders.
