Your Medical Records Were Where? The Palantir Problem Nobody Was Talking About

April 13, 2026

So apparently NYC hospitals have been sharing patient health data with Palantir, and they’ve only just decided to stop. And the reaction from most people online was essentially: they were doing WHAT?

Yeah. That tracks.

For those who don’t know much about Palantir, they’re a US data analytics company with some genuinely unsettling associations — they’ve done work for ICE, assisted with surveillance operations, and their CEO is about as MAGA as it gets. To be fair, someone in the online discussion I was reading pointed out they also do legitimately useful things like tracking missing children and tracing food contamination outbreaks. But that’s the uncomfortable reality of dealing with companies like this — the good and the bad come bundled together, and you don’t always get to pick which parts you’re funding or feeding.

The thing that really got under my skin here isn’t even Palantir specifically. It’s the casual, almost bureaucratic way health data ends up in places patients never imagined. Most people assume there are watertight laws protecting their medical records. And in the US, HIPAA does exist — but as someone in the thread helpfully explained (possibly with the help of an AI, judging by the very polished prose), there’s a significant gap between what HIPAA technically covers and what actually happens to the derived insights from your data once a model has been trained on it.

That point really stuck with me. A risk model trained on eight million patient records doesn’t just evaporate because the data-sharing agreement gets torn up. The hospitals backing out now is good news, but it doesn’t undo what’s already flowed upstream. The data has already done its job. The model exists. And current privacy frameworks — whether you’re talking US law, the EU AI Act, or ISO standards — govern the systems that touch the data. None of them adequately govern what gets learned from it.

Here in Australia, we have our own complicated relationship with health data. The My Health Record rollout was… a journey. Remember that? The opt-out system, the privacy concerns, the government having to scramble to reassure everyone that no, your GP notes weren’t going to end up somewhere alarming. We navigated that with mixed success, and it’s left a lot of Australians with a lingering wariness about centralised health data — probably a healthy wariness, as it turns out.

Working in IT, I’ve spent years thinking about data pipelines, access controls, and what “secure” actually means in practice versus on paper. And I’ll tell you, the gap between those two things is enormous even in well-intentioned organisations. The moment you start involving third-party analytics platforms with their own commercial interests, that gap becomes a chasm. Business Associate Agreements and legal compliance frameworks are necessary, but they are not the same thing as genuine data stewardship. Not even close.

What frustrates me most is that this story probably won’t get the sustained attention it deserves. It’ll be a few days of outrage, then we’ll scroll on. Meanwhile the structural problem — that health data is extraordinarily valuable, that companies will find legal pathways to access it, and that our laws are perpetually playing catch-up with what’s technically possible — that problem quietly continues.

The optimist in me wants to believe that public pressure actually works here. The hospitals did stop. That matters. And there’s a growing conversation — globally, not just in the US — about the need for much stronger frameworks around AI-derived data artifacts, not just raw data. Australia’s own Privacy Act reforms have been dragging along at a glacial pace, but the conversations are happening.

The answer isn’t to retreat from using data in healthcare — done right, it genuinely saves lives. The answer is demanding that the governance catches up with the capability, and not letting companies or hospitals quietly normalise arrangements that patients would be horrified to know about. Sunlight, as they say, is the best disinfectant. Even if it takes a Reddit thread to let it in.