Having a child is one of the—if not the—most life-changing moments in life. And while we’d all like to think that day a woman finds out she’s pregnant is a happy one, it’s often accompanied by hours of agonizing about when to break the news to her employer.

Questions like, “What if this gives them an excuse to fire me?” and “What if they pass me up for this promotion?” may creep into her mind, despite the explicit laws that protect against pregnancy-related discrimination.

But what if an employer were find out that an employee is pregnant before she’s ready to disclose that information? While that sounds like it should be illegal, it isn’t—and it’s happening right now, according to the Wall Street Journal.

Health care analytics companies can mine workers’ medical claims, pharmacy claims, and search queries to figure out if an employee is trying to conceive or is already pregnant. One such company is Castlight Health CSLT 8.82% , which counts major employers such as Walmart WMT 0.32% and Time Warner TWX 2.15% among its biggest clients.

Castlight has the ability to gather workers’ medical information, then use that data to identify segments of an employee population that are about to make certain decisions, senior product manager Alka Tandon told Fortune. “We can tell who’s at risk for being diagnosed with diabetes, who’s considering pregnancy, who may need back surgery,” she says.

While the company can pinpoint the specific individuals with certain medical needs, it only shares top-level numbers with its clients, says Tandon. For example, Castlight can tell a client that its workforce includes 60 women who are currently trying to have children, but it will not disclose the names of those employees. It also caps the size of any group it will single out at 40 people, since it believes that any smaller group could allow the client to identify the individual employees.

Imposing these rules and minimums makes sense in theory, but realistically does little to prevent companies from knowing who has what medical issue. “You might as well put employees’ pictures on a bulletin board,” says Nicolas Terry, a professor at the Indiana University Robert H. McKinney School of Law, who specializes in studying the intersection of medicine, law, and information technology.

And while collecting this kind of employee information may be legal, it’s only because the space is still largely unregulated, says Terry. “There is almost no law that controls what data these big data companies can access. There isn’t much law controlling what they can do with it.”

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the protection and confidential handling of protected health information. However, this law doesn’t apply here because things like search queries and insurance claims don’t necessarily fall under the category of protected health information, says Terry.

“It they’re doing it the Target way, that kind of stuff is not controlled,” he says. Terry is referring to a 2012 New York Times piece about how retailer Target TGT 0.84% was able to use data analytics to figure out which customers were pregnant through tracking purchases. In one anecdote, the store had figured out a young woman’s due date before her father even learned that she was pregnant.

In the case of Target, some consumers felt that their privacy was violated, or that they were being spied on. In this case, however, the stakes are much higher because the parties involved are in an employer-employee relationship, points out James Hodge, a professor of public health law and ethics at the Arizona State University Sandra Day O’Connor College of Law.

“If [an employer] originally thought that 15% of the women in its employee base may become pregnant, but data shows it’s closer to 30%, that could lead an employer to say we cannot hire as many female employees this year because we can’t afford them being out for family leave,” Hodge explains. And while this example is purely hypothetical, it shows the kinds of discriminatory arguments that this data could be used to make—regardless of whether an employer has access to individual employee names or not.

Castlight only collects data on individuals who explicitly opt in to its services, which include a search function for in-network doctors and the ability to track health care spending (the fine print: opting into the service also gives Castlight permission to share data with the individual’s employer).

However, Hodge argues that the data gathered by the company could still be used to penalize employees who did not opt in. “You only need a random sampling and you can then extrapolate meaningful and actionable data” based on a significant sample, he says. In other words, Walmart doesn’t need every one of its 1.4 million U.S. employees to opt in to Castlight—it can make do with a few thousand.

Since the ethics of tracking employee health information are “questionable, at best” and there is currently no legislation out there regulating these types of big data companies, the onus is on employers to keep workers in the loop, says Terry: “It is incumbent upon the employer to be completely transparent and to demonstrate how this is being done exclusively to the employee’s benefit.”

This article first appeared on fortune.com

Get our Health Newsletter. Sign up to receive the latest health and science news, plus answers to wellness questions and expert tips. Please enter a valid email address. Sign Up Now Check the box if you do not wish to receive promotional offers via email from TIME. You can unsubscribe at any time. By signing up you are agreeing to our Terms of Use and Privacy Policy . This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Thank you! For your security, we've sent a confirmation email to the address you entered. Click the link to confirm your subscription and begin receiving our newsletters. If you don't get the confirmation within 10 minutes, please check your spam folder.

Contact us at letters@time.com.