Health Privacy Enforcement Is Here. Connecticut Just Proved It.

What Connecticut's AG Just Released

Connecticut's Attorney General released its 2025 enforcement report. Health data is a prominent focus.

The report highlighted two actions tied to consumer health data:

• ▶An ongoing investigation into a fertility tracking product
• ▶A notice of violation and inquiry letter sent to a large data broker over sensitive data practices, including health

Neither involves a hospital. Neither involves HIPAA. Both involve data practices that are common in healthcare advertising.

The Part Most People Miss

In Connecticut, consumer health data is defined by its purpose.

Data you use to identify someone's health condition.

"Use to" is intent. Not data type. Not source. Not format.

What This Means for Healthcare Advertising

Most audience methods in healthcare advertising are built on exactly this kind of data. Segments designed to identify people with a condition. Predictions about who is likely to seek treatment. Inferences about health status.

Under Connecticut's framework—and similar laws in other states—the intent behind that data is what creates the legal exposure. Not whether it came from a covered entity. Not whether a vendor labeled it "HIPAA compliant."

Enforcement is catching up to how audience data actually works.

This Is Not an Isolated Case

Connecticut is one of 21 states with active consumer privacy laws. Each has its own definition of health data. Several define it by purpose, not source.

California's enforcement against Healthline set the same precedent: personal identifier plus health context equals sensitive data, regardless of where it came from.

The pattern is consistent. Enforcement is real. And the question every healthcare marketer should be asking their audience vendors is not whether they checked the HIPAA box. It's whether they can explain what their data was built to do.