This Data Broker Sold Lists of People With Alzheimer's—Including Their Email Addresses

What the Company Did

Rickenbacher Data LLC, operating under the name Datamasters, bought and resold personal information of millions of people categorized by their health conditions. The Texas based company sold lists that included:

• People with Alzheimer's disease
• Individuals struggling with drug addiction
• People with bladder incontinence
• Other sensitive medical conditions

Each record included names, addresses, phone numbers, and email addresses. The data was sold to advertisers for targeted marketing campaigns.

Beyond health data, Datamasters also sold lists organized by age ("Senior Lists"), race ("Hispanic Lists"), political views, grocery purchases, banking activity, and health product buying habits.

The Enforcement Action

California's Privacy Protection Agency (CPPA) fined Datamasters $45,000 for failing to register as a data broker under the state's Delete Act. More significantly, the agency ordered the company to stop selling all personal information about California residents.

"Reselling lists of people battling Alzheimer's disease is a recipe for trouble," said Michael Macko, head of the CPPA's enforcement division. He warned that these lists could be exploited for purposes beyond advertising.

The enforcement action is part of the CPPA's Data Broker Enforcement Strike Force, which has been targeting companies that fail to register while trafficking in personal information.

Why Health Data Is Different

Health information is among the most sensitive data categories. When combined with contact information, it creates opportunities for exploitation that go far beyond unwanted ads.

Someone with Alzheimer's disease is more vulnerable to scams. A person struggling with addiction may be targeted by predatory treatment centers or drug dealers. Individuals with embarrassing health conditions become targets for blackmail.

The email addresses in these lists are particularly valuable to scammers. With a person's health condition, name, and email, attackers can craft highly personalized phishing messages that appear to come from healthcare providers, pharmacies, or support organizations.

How This Data Gets Collected

Data brokers like Datamasters don't collect information directly. They purchase it from other sources and repackage it for sale. Health related data can come from:

• Pharmacy loyalty programs and prescription discount cards
• Health related website registrations and newsletter signups
• Survey responses and sweepstakes entries
• Purchase histories from health product retailers
• Public records and insurance claim aggregators

Once this data enters the broker ecosystem, it gets combined, enriched, and resold repeatedly. The original source often becomes untraceable, and individuals have no practical way to know who has their information or how it's being used.

California's New Delete Act

California's Delete Act, which took effect in 2024, requires data brokers to register with the state and pay annual fees. The law also created a centralized deletion mechanism that launched on January 1, 2026, allowing residents to submit a single request to have their data removed from all registered brokers.

Companies that fail to register face administrative fines of $200 per day, plus unpaid registration fees and investigation costs. The Datamasters case shows that the CPPA is actively enforcing these requirements.

In the same announcement, the CPPA also fined S&P Global $62,600 for failing to register as a data broker, calling it an "administrative error." The difference in penalties reflects the severity of Datamasters' conduct: not just failing to register, but selling particularly sensitive categories of personal information.

How to Use the Delete Act

California residents can now request deletion of their data from all registered data brokers through a single online portal. To use it:

Visit the CPPA's deletion portal. The California Privacy Protection Agency operates the centralized request system at deletedata.cppa.ca.gov.

Verify your identity. You'll need to confirm you're a California resident to submit a request.

Submit a deletion request. One request goes to all registered data brokers, requiring them to delete your information.

Repeat periodically. New data can still be collected after deletion. Consider submitting requests regularly to minimize your exposure.

The Limits of Enforcement

A $45,000 fine is a modest penalty for a company that profited from selling millions of sensitive records. The real consequence is the order to stop selling California data entirely, which may force business model changes.

But this case also reveals the limits of state level regulation. Datamasters is a Texas company. The data it sold came from national sources and was sold to advertisers nationwide. California's rules only apply to California residents.

For people in other states, there's often no legal requirement for data brokers to register, no deletion mechanism, and no oversight of what categories of information they sell. If you have Alzheimer's and live in Texas, the same lists can be sold without restriction.

Protecting Yourself

The data broker industry operates largely invisibly. Most people have no idea their health information is being bought and sold. While you can't stop all data collection, you can reduce your exposure:

Use separate email addresses. Create a dedicated email for health related services that you don't use for other purposes. This limits the connections brokers can make between your health data and other activities.

Avoid health surveys and sweepstakes. These are common data collection fronts. The prize is rarely worth the privacy cost.

Read pharmacy privacy policies. Some pharmacy loyalty programs sell data to brokers. Opt out where possible, or skip the discount card entirely.

Submit deletion requests. If you're in California, use the Delete Act portal. If not, services like DeleteMe and Kanary can submit opt out requests to major brokers on your behalf.

The Datamasters case is a reminder that your health information has value, and not everyone who has it will handle it responsibly. The less you share, and the more you control where it goes, the safer you'll be.