Imagine a workplace in which, each month, you had to take a test to determine if you’d consumed nicotine; if you had, you would have to pay a fine of more than $100. Your employer would collect data on how often you’d worked out, if you’d seen doctors, the status of certain biometrics such as blood pressure and cholesterol, how much processed food you’d been eating, if you’d been seeing your therapist, how often you’d meditated, and even what prescriptions you’d taken. The amount of paid time off you would be allocated would be based on how “healthy” you were, according to the above assessment metrics. In addition, you would be required to take a genetic test that could affect your eligibility for health insurance the next year.

Now imagine that that’s real. Because, to a certain extent, it is.

The above scenario, while extreme, is becoming a reality. Seventy-one percent of companies in the United States with 200 or more workers offer wellness programs that collect personal health information. The last eight years have brought a rapid onslaught of such programs, which form a growing $8 billion industry.

In today’s difficult health-care environment, receiving preventive and proactive care for one’s physical and mental health is an almost idyllic scenario. But recent research shows that employee-wellness programs aren’t nearly as effective as the vendors hawking them might have us believe. Perhaps even more troubling, these programs collect massive amounts of haphazardly protected, insufficiently regulated data, and proposed legislation could weaken or even eliminate much of the protection we do have.

John* (names denoted with an asterisk have been changed), who works in health care information technology in Houston, told me his company’s wellness program “seems like a scam.” “They don’t monitor it,” he said. “We just click buttons that we [fulfilled the requirements].”

With corporate wellness apps, pat solutions are a tap away. Options for monitoring progress. Some healthy-living instructions. With corporate wellness apps, pat solutions are a tap away. Options for monitoring progress. Some healthy-living instructions.

John’s wellness program, the specific name of which he asked to be withheld to protect his anonymity, is fairly standard as far as these programs go. Different activities, such as walking 30 minutes a day or going to the doctor, earn points; you have to get enough points, John said, to avoid a 20 percent increase in your insurance premiums the following year.

John said that his company’s program had three parts. “A self evaluation which can be helpful if you’re honest with yourself. Blood work/physical. Then the activity part, which is a joke. Women in my office claim [they had] prostate exams and men claim mammograms just to get enough points to not worry about it the rest of the year.”

Annie* also said that her workplace wellness program, RedBrick, was pretty easy to game.

Those who test positive for nicotine are required to pay $125 extra on their monthly insurance premiums until the next testing cycle.

“Because much of the program is dependent on the honor system, it’s very easy to ‘cheat,’” she said. She said that RedBrick uses a smoking cessation test, in which participants are subjected each year to a saliva swab test to check for nicotine in the bloodstream; those who test positive for nicotine, according to Annie, are required to pay $125 extra on their monthly insurance premiums until the next testing cycle. But even that test, she said, has an easy workaround. “Two people on my team smoke cigars and chew tobacco,” she told me. “They know how long it takes for nicotine to clear from their system to test negative, so they stop long enough just for the test, then fire right back up again.” (RedBrick didn’t respond to a follow-up request for comment.)

Alan Pollard, the CEO of the popular workplace wellness company Vitality Group, said that cheating is a minor problem that some programs have a more difficult time battling (Vitality does not have this problem, he said). “I think that’s more relating to a strong element of self reporting,” he told me. “Our program is much more tooled toward verified activities. Any system you can cheat on … there’s one or two anecdotes that then get elevated as much more representative than they actually are.”

On top of the nicotine test, Annie said, her wellness program includes a more extensive annual biometrics test, including a finger prick to test blood sugar, a cholesterol assessment, a blood pressure reading, and a weight evaluation. Participants “get points just for doing it and becoming aware of your numbers. You get MORE points the following year if there’s an improvement in the numbers,” she said. “You are penalized for being a tobacco user but NOT for other health metrics.” But, she said, if you elect out of the biometric tests, you need to find another way to make up for those “points” if you want a discount on your insurance premiums.

Despite the apparent problems and ease of cheating these programs — along with the amount of data and tests many of them require — many I spoke with have mixed, but relatively favorable, opinions towards them.

“In general I think [my coworkers] are okay with it,” said Annie, who estimates that about half of her colleagues participate in their company’s program. “If you take it seriously and follow the wellness-program initiatives, it can make a big difference.”

Nicole*, who said her former company’s wellness program was haphazardly designed in-house by its human resources department, had a much darker view of her experience. “The company decided that having a fitness competition [among all employees] with both a step count and weight loss component was a great idea,” she told me. The program, she said, was presented as mandatory but wasn’t, with a scoreboard in the center of the office that tracked everyone’s weight loss and step count progress; winners at the end would receive gift cards, iPads, and other high-value prizes. “The bullies/people who were known for ‘just teasing’ in the office used the scoreboard to chide others for their lack of progress,” she said. Some employees, who had disabilities, eating disorders, or negative body images, were stressed by the competition, said Nicole, but feared being fired if they didn’t “put on a show.”

Eventually, the weight-loss portion of the competition was ditched, but the steps competition remained. “Based on my experience, I cannot begin to express how much of a net loss this activity had on the workplace,” Nicole said. “Employees thought it was stupid. The leadership looked stupid trying to sell it. Any half-decent lawyer would have advised against it.”

The Obama administration is to thank for these programs. The Affordable Care Act explicitly endorsed the use of workplace wellness programs as a means of ensuring a healthy (and less expensive) citizenry. Since the act was passed in 2010, the number of corporate wellness programs tripled, and now cover more than 50 million American workers.

Incentivizing healthier habits should theoretically make employees happier and more productive, not to mention reduce overall costs. People who exercise more typically have lower health-care costs, improved depression symptoms, and better cognitive function. Healthy eating habits have been linked to better cognitive performance, as well as improved overall health.

Still, the concept of prioritizing worker health as a means to boost production is an inherently dark one — who cares about your health, unless that health directly benefits your company — not least because it places the onus on the worker and not the employer to, say, keep hours and work demands reasonable, or offer benefits like more paid leave or childcare. There was also little reliable research eight years ago to support the idea that wellness programs paid off the way they were supposed to (making the Obama administration’s championing of workplace wellness programs in the act somewhat baffling).

One recent study in the journal Frontiers in Psychology found that workplace wellness programs in their current form may increase weight stigma and discrimination with potentially “severe” consequences, particularly if those programs focus on individual accountability. Researchers at the University of Illinois are conducting a working study, the Illinois Wellness Workplace Study, in which they analyzed the behavior of 12,000 employees in a workplace wellness program of their design. The researchers found that, in 37 out of 39 of their markers for success, participation in the wellness program showed no significant signs of improvement after one year.

Julian Reif, assistant professor of finance and economics at the University of Illinois and one of the authors of the study, said that professional opinions about workplace wellness-program efficacy varies widely; it was this, along with the lack of rigorous research on the topic, that prompted the study. Workplace wellness programs “now cover over 50 million workers in the U.S.,” Reif told me. “They’re all over the place. But there’s not a lot of good rigorous evidence on what they do.”

The issue, he says, is that most studies on the topic so far have been observational, rather than the more reliable randomized controlled trials, which use a control group to reduce bias in test results. “Because participation is voluntary, you’ll worry that maybe the people who participate in this program were already different than people who don’t participate,” Reif said.

One wellness program’s fine print on how an employee might get charged for having nicotine present in their system.

There was one notable exception in the lack of results: participants in the wellness program reported better workplace morale than non-participants. Reif told me that the study is only in its first year, however; the second and third years may tell a different story.

“The people who are most eager to participate were people who already had low health-care spending and who already were engaging in fairly healthy behaviors,” he said. “So if you’re an employer and you adopt a workplace wellness program, you might find you’re now able to hire more of those types of workers. And that’s gonna help reduce your health-care costs, even if the program itself isn’t having a direct effect on employees.”

Natalie, an Arizona-based judicial system supervisor, told me she isn’t convinced that her workplace’s wellness program is making a difference in anyone’s health. “You don’t really have to try to be healthier,” she said. “Like, it’s easy to just watch the five videos, get the points and go to the doctor.” Still, she appreciates the effort her company is putting into making its employees healthier. “I think it’s a case of getting out of it what you put in,” she told me.

Going to the gym, getting your cholesterol checked, participating in smoking cessation programs, and increasing your daily steps with a FitBit or Apple Watch seem like indisputably good things. As someone who really doesn’t work out nearly as much as I should, especially given how good it ends up feeling, a gentle push in the direction of doing so should be a wholly positive, healthy experience.

But this kind of tech-enabled monitoring generates a lot of data that can be collected and that can — and does — hurt people in ways that are not very transparent to them, especially marginalized ones. Personal data is analyzed, bought, and sold every day by data brokers, from social media posts to credit card purchases to daily steps collected by FitBits. Data brokers sort people into marketable demographic categories based on this information, and if they can conclude someone is, for whatever reason, high-risk, that person could pay the price later on, with penalties such as increased premiums, employer discrimination, loan denials, and even, depending on the status of the Affordable Care Act, insurance denials.

Some wellness programs work with an insurance company, and others do not. Employers often use outside vendors for the latter, or, as was Nicole’s case, the employer may design its own wellness program. Typically, if a wellness program isn’t affiliated with a health-insurance plan, then it isn’t subject to Health Insurance Portability and Accountability Act (HIPAA), the 1996 regulation signed into law by President Bill Clinton that provides guidance to covered entities on health and medical privacy. Workplace wellness programs that already have a relationship with an employer’s insurance company are subject to HIPAA as one such “covered entity” — or health care plans, health care providers, and health care clearinghouses. This means the personal information given to them can’t be further disclosed without an individual’s consent, though there are many caveats, including that data can be shared if it is “anonymized.” However, extensive research has shown anonymizing does anything but, especially when data brokers sell and trade “anonymized” data with each other, allowing them to triangulate your “private” health records and figure out it was you who had a sudden, unexplained seizure last year, or started to have random fainting episodes.

When I asked him about it, Alan Pollard of Vitality Group reacted with horror at the prospect of selling employee data. According to the company’s website, it only provides aggregate information to employers and requires participant consent to provide employers with more detailed information.

While Vitality’s attempt at demystifying its privacy policy is commendable, “aggregate” or anonymous data is not as risk-free as it might seem. In a 2016 interview with Motherboard, Timothy Libert, a privacy engineer at Carnegie Mellon University, explained this. “Usually when industry types say ‘anonymous’' they actually mean ‘pseudonymous,’ which means there is a random identifier tied to the data, (e.g. ‘u91u232u390’),” he said. “However, if there is a second database that links the identifier to a specific person (e.g. ‘u91u232u390: Meghan Neal’) it can be easily re-identified.”

He continued: “An identifier may be associated with a specific address which is where a person lives, or even geolocation data from your morning jog can be used to figure out who you are — even if it is ‘anonymous.’”

Even data that doesn’t make its way to a data broker can be harmful, because health insurance companies can use such information themselves. It’s perfectly legal to increase health care premiums based on the failure of a customer or their partner to achieve certain benchmarks in an insurance-affiliated wellness program. Those premiums can go up by as much as 30 percent, or 50 percent for smokers. Refusing to participate in an employer’s healthcare plan-affiliated wellness program can also raise premiums, although the AARP successfully sued against that earlier this year, arguing that such supposedly “voluntary” wellness programs are coercive. The results of that lawsuit go into effect in 2019. Still, those of us for whom an extra 30 percent on our insurance could break a budget are effectively forced to give up our data in exchange for more affordable coverage.

Unsurprisingly, consumers aren’t being made aware of these risks. Of the 14 current or former employee wellness-program participants The Outline spoke to, only one told me that privacy had, at one point, been discussed, and she couldn’t remember exactly when.

“It would not be overstating it to say that, in general, there is a significant gap in protections for employees,” Tatiana Melnik, a data privacy and security lawyer, wrote to me in an email. “When assessing the privacy and security of your employer’s wellness program, one thing to think about is your employer’s culture of compliance. For example, how do you and your employer handle customer data?”

Data brokers are already using health data as part of consumer profiles, which affect how people are marketed to and for what. The American Bar Association, in a 2015 report on the privacy of wearables such as Fitbits and Apple Watches, noted that poor sleep, heart rate, and stress levels could all lead marketers to believe a consumer is depressed, that their romantic relationship is on the rocks, or even that they’re a bad employee. That information could be sold to banks or insurance companies, with dire individual consequences.

“That’s where the data then moves into other parts of the economy — lending decisions, credit decisions, mortgage decisions,” Scott Peppet, a privacy specialist and law professor at the University of Colorado, told PBS in 2015. “Once these data are in the hands of a data broker, they can be blended into any kind of formula.”

Jason Chung, a lawyer and senior research scholar at New York University Sports & Society, a think tank devoted to the study of sports, noted that this is particularly dangerous for people with sensitive health conditions. “A lot of the information that’s collected by data-wellness plans could technically be used to discriminate,” he said. He’s concerned that even the scant protections available today might not be around tomorrow.

“Right now you’ve got legal and regulatory protections — HIPAA, the ADA [American Disabilities Act] — but these are constantly under review and under threat to a certain degree,” he said. “The ACA came in and changed everything and said that insurers on the individual market can’t deny coverage for Americans with pre-existing conditions. But what happens if that rule gets repealed? If the restrictions of who can control your data and access your data are eroded, then information can conceivably be used to discriminate, whether you know it or you don’t.”

In fact, the Genetic Information Nondiscrimination Act of 2008 (GINA), which prohibits employers from requiring genetic tests from employees or using that information for employment decisions, is at risk of being weakened. HR 1313, or the Preserving Employee Wellness Programs Act, was introduced in 2017 by Republican House Representative Virginia Foxx, and purports to make it easier to implement wellness programs by allowing employers to collect personal genetic information on their employees (right now, employers are only allowed to see that information in aggregate form). That means if, for example, a genetic test shows you have the BRCA1 gene, your employer will know that you, and not just an anonymous employee who works for them, are at risk for breast cancer.

Regardless of the probability of HR 1313’s passage, Chung believes the U.S. needs a political solution to the precariousness of employee data from wellness programs. The country could consider something similar to the General Data Protection Regulation (GDPR), which was recently instituted in the European Union. This law gives individuals access to whatever sensitive personal information records a business may be keeping on them; even Hong Kong, which Chung cited as among the “freest economies in the world,” has a regulatory body dedicated to data protection. “Right now, what we have is just a gigantic mess of a private system, and it’s got incomprehensible sets of laws and standards across different states,” he said. “I think Americans deserve clarity about who to go to and what the process is.” As they are, wellness programs heavily favor businesses at the expense of consumers, whose data is mined and sold in exchange for trinkets, gold stars, and meager premium discounts.

There very well may be as-yet-unknown benefits to employers taking an active interest in their employees’ health. But at the moment, with scant research, inadequate programs that incentivize cheating, poor regulation, and serious, unaddressed privacy issues, it might be more beneficial to just give employees more vacation time, flex time, and manageable workloads in order to improve their health.

For the past several months, I’ve logged every single thing I’ve eaten in a weight-loss program app, perhaps foolishly never thinking of the potential consequences. There are nights when I’ve had three drinks — practically anathema in the program’s ethos — but left them off to stave my guilt. But now I know there are real benefits to lying to my food tracker, if I elect to participate at all: protecting myself against being penalized in the future for not eating enough vegetables or drinking one too many. It’s one lesson wellness program participants are already taking to heart, even if they’re not thinking of it along the same Skynet fears as I am.

Nicole had one coworker, she said, who fastened his pedometer “to a mailcart that had a bad wheel and it made his step count believable — I think he came in fifth? No one cared enough to snitch.”