| Data type / destination | Anthem BCBS |
United Healthcare |
Aetna | Cigna | Humana |
|---|---|---|---|---|---|
| HIPAA-covered (baseline) | |||||
| Claims & treatment historyHIPAA Notice | Yes | Yes | Yes | Yes | Yes |
| Medication & prescription dataHIPAA Notice | Yes | Yes | Yes | Yes | Yes |
| Substance use disorder recordsHIPAA Notice (42 CFR Part 2) | Partial | Partial | Partial | ||
| Genetic informationHIPAA Notice | Prohibited for underwriting | Prohibited for underwriting | Prohibited for underwriting | Prohibited for underwriting | |
| Identity & financial | |||||
| Social Security numberApplications & forms | Yes | Yes | Yes | Yes | Yes |
| Credit bureau dataCigna GLB Notice; Humana HIPAA Notice | Yes | Yes | |||
| Medical Information Bureau dataHumana HIPAA Notice | Yes | ||||
| Demographic & identity | |||||
| Race, ethnicity, language (collected & inferred)Anthem HIPAA Notice | Yes | ||||
| Sexual orientation & gender identityAnthem HIPAA Notice | Yes | ||||
| Demographic data (third-party sourced)Web / Online Privacy Policy | Yes | Yes | |||
| Religious affiliationCigna HIPAA Notice (facility directory) | Yes | ||||
| Device & behavioral (non-HIPAA) | |||||
| GPS & real-time locationWeb / Online Privacy Policy | Yes | Non-precise | |||
| Browsing behavior across websitesWeb / Online Privacy Policy | Yes | Yes | |||
| Screen touch patterns & frequencyUHC Online Privacy Policy | Yes | ||||
| App usage patternsWeb / Online Privacy Policy | Yes | Yes | |||
| Device identifiers (UDID, Android ID, IP)Web / Online Privacy Policy | Yes | Yes | |||
| Third-party & commercial data | |||||
| Publicly or commercially available dataHIPAA or Web Privacy Policy | Yes | Yes | Yes | ||
| Offline vendor data combined with online dataWeb / Online Privacy Policy | Yes | Yes | |||
| Aggregate data sold to third partiesCigna HIPAA Notice | Yes | ||||
| Payment received for data disclosuresCigna HIPAA Notice | Yes | ||||
| Data sharing destinations | |||||
| Healthcare & operations | |||||
| Treating providers & hospitalsHIPAA Notice all insurers | Yes | Yes | Yes | Yes | Yes |
| Business associates & service providersHIPAA Notice all insurers | Yes | Yes | Yes | Yes | Yes |
| Employer (plan sponsor)HIPAA Notice all insurers | Summary only | Summary only | Summary only | Summary only | Summary only |
| Government & law enforcement | |||||
| Law enforcement agenciesHIPAA Notice all insurers | Yes | Yes | Yes | Yes | Yes |
| Correctional institutionsHIPAA Notice Anthem, United, Cigna | Yes | Yes | Yes | ||
| Military & national security authoritiesHIPAA Notice | Yes | Yes | Yes | Yes | |
| Public health agenciesHIPAA Notice all insurers | Yes | Yes | Yes | Yes | Yes |
| Commercial & data economy | |||||
| Third-party advertisersWeb / Online Privacy Policy UHC, Aetna | Yes | Yes | |||
| Life sciences & research organizationsHIPAA Notice all insurers | Yes | Yes | Yes | Yes | Yes |
| Analytics vendors (behavioral & device data)Web / Online Privacy Policy UHC, Aetna | Yes | Yes | |||
| Credit bureausCigna GLB Notice; Humana HIPAA Notice | Yes | Yes | |||
| Corporate affiliates & subsidiariesWeb / Online Privacy Policy; GLB Notice | Yes | Yes (CVS Health) | Yes (Evernorth) | ||
| Acquiring entity in merger or acquisitionWeb / Online Privacy Policy Aetna, Cigna | Yes | Yes | |||
| Third-party health apps (outside HIPAA)UHC Share My Health Data Notice; Cigna Data Sharing Notice | Yes | Yes | |||
| Joint marketing partners (non-affiliated financial companies)Cigna GLB Notice | Yes | ||||
Source: Document analysis of member-facing privacy policies, Georgia primary case, documents accessed June 2026. Device and behavioral data for UnitedHealthcare and Aetna sourced from web and mobile privacy policies reviewed in session (not uploaded PDFs). Cells marked indicate the data type or destination is not described in available documents, not confirmed absence. All claims sourced directly from insurer documents; no inferences made beyond document text.