A Data Broker Just Sold 2 Million People's Medical Conditions—Along With Their Email Addresses

What California Just Discovered

On January 8, 2026, the California Privacy Protection Agency announced enforcement actions against data brokers operating illegally in the state. One company stood out for the disturbing nature of its business.

Rickenbacher Data LLC, doing business as Datamasters, had been buying and reselling the personal information of millions of people with serious health conditions. The Texas based company maintained databases containing:

• 435,245 people with Alzheimer's disease
• 2,317,141 blind or visually impaired individuals
• 133,142 people suffering from addiction
• 857,449 people with bladder control issues

For each person, Datamasters sold their name, home address, phone number, and email address to anyone willing to pay.

The Scale of the Operation

Datamasters claims access to a national consumer database covering 114 million households and 231 million individuals. Beyond health condition lists, the company sold data segmented by:

• Age and perceived race ("Senior Lists," "Hispanic Lists")
• Political views (conservative and liberal voter lists)
• Banking activity and financial behavior
• Grocery store purchases
• Health related product purchases

"Reselling lists of people battling Alzheimer's disease is a recipe for trouble," said Michael Macko, head of enforcement at the California Privacy Protection Agency. "In the wrong hands, these lists could be used to target people for more than just advertising."

Why This Matters for Your Inbox

When a data broker sells your email address alongside your health conditions, you become a precision target for scammers. Research from the Alzheimer's Drug Discovery Foundation shows that people with cognitive impairments are particularly vulnerable to fraud.

Consider what happens when scammers purchase these lists:

• People with Alzheimer's receive emails about "miracle cures" and memory supplements
• Addiction sufferers get targeted by predatory treatment centers
• Those with incontinence issues receive embarrassing spam they never signed up for
• Visually impaired individuals get phishing attempts designed to exploit accessibility challenges

Tracking pixels in these scam emails make the problem worse. When someone with Alzheimer's opens a fraudulent "treatment" email, the spy pixel confirms to scammers that they found a responsive target. The victim gets flagged as someone who engages with health related spam, inviting even more predatory messages.

The Consequences for Datamasters

California ordered Datamasters to:

• Pay a $45,000 fine for operating without registering as a data broker
• Stop selling ALL personal information of California residents immediately
• Delete all previously purchased California data by December 2026
• Delete any future California data received within 24 hours
• Submit to five years of compliance monitoring

The fine itself is modest. But the permanent market ban is devastating—Datamasters can no longer profit from California's 39 million residents.

S&P Global also received a $62,600 fine for failing to register, and the CPPA has brought enforcement actions against more than ten additional data brokers.

California's Delete Act: A New Tool for Consumers

These enforcement actions come as California launches DROP (Delete Request and Opt Out Platform), a system that lets residents request deletion of their data from over 500 registered data brokers with a single request.

Key dates for 2026:

• January 2026: DROP system goes live for California residents
• August 1, 2026: Data brokers must process deletion requests within 90 days
• August 1, 2026: Brokers must check DROP every 45 days for new requests

Data brokers who fail to register face $200 per day penalties. Those who ignore deletion requests face $200 per request per day. The math adds up quickly.

The Broader Pattern

Datamasters isn't an outlier. The data broker industry thrives on collecting and reselling personal information without meaningful consent. Recent enforcement actions reveal a pattern:

• Gravy Analytics and Venntel: Sold location data revealing medical conditions and religious affiliations
• BetterHelp: Shared mental health data including hashed email addresses with Facebook for targeted ads
• National Public Data: Massive breach exposed names, addresses, and partial Social Security numbers

With 19 states now having comprehensive privacy laws—and more coming in 2026—the regulatory pressure on data brokers is mounting. But laws only work after the damage is done.

Protecting Yourself Now

If you're a California resident, use DROP to request deletion from registered data brokers. But remember: Datamasters operated for years without registering. Many data brokers still fly under the radar.

For your inbox specifically:

• Block tracking pixels to prevent scammers from confirming your email is active
• Be especially cautious of health related emails you didn't sign up for
• If you care for someone with cognitive impairment, monitor their inbox for predatory messages
• Report health scams to the FTC at ReportFraud.ftc.gov

Extensions like Gblock automatically detect and neutralize tracking pixels before they can phone home. When scammers can't confirm whether you opened their message, you become a less valuable target.

The Bottom Line

A company built a business selling the email addresses of people with Alzheimer's disease to the highest bidder. That business model existed because no one was watching.

California is finally watching. But the damage from years of unregulated data sales can't be undone. Millions of vulnerable people are already on lists that have been copied, resold, and distributed across the marketing ecosystem.

Your health information shouldn't make you a target. Neither should your inbox.