Skip to content
All writing

July 14, 2026 · min read

The Healthcare Industry Is Coming for Your Face

Face scans are evolving into a condition of everyday access, healthcare included. Here's what that biometric data can and can't do, why handing it over is a bigger deal than it looks, and what asking for it responsibly would actually take.

Don't miss a post →

Last week, I got an email from Headway, one of the third-party services used by my mental health provider, informing me that I would need to "Verify your identity before your next session" by submitting my biometric data. This mandatory identity verification requires a photo of a current government-issued ID plus a "live photo" scan (moving my head side to side in front of the camera) run through another third-party vendor called Persona.

Headway is requiring this of every patient who sees a prescriber, mine included, with no way to opt out short of abandoning your provider. Interestingly, the vendor doing the scanning, Persona, is backed by Peter Thiel's Founders Fund. 404 Media's Samantha Cole broke the story about Headway's plan in May, and the reporting is clear about the bind patients are in.

Let's explore what biometric data can and cannot do, why it's a big ask of consumers, and how what happened to me could have been easily avoided (there's a way to do this, friends). I'll focus on for-profit companies here, not government, as that's likely a whole other article.

"Do I give up my privacy or do I burn all my progress and then just go to a different company and try and find somebody else, and start over?"

— A Headway patient, quoted in 404 Media

Why Headway says they ask for this data

The reason Headway gave for these increased verifications is fraud prevention: people impersonating others to get controlled substances, or AI-generated faces on telehealth calls.

However, fraud is overwhelmingly on the provider side, not the patient side. When the Justice Department announced its 2026 National Health Care Fraud Takedown, it charged 455 defendants more than $6.5 billion in alleged fraud, and the high profile cases were almost uniformly committed by providers and operators, not by patients impersonating someone else: a billion-dollar telehealth platform signing orders for patients doctors never examined, a physician billing for Botox injections given while she was on vacation, a clinic billing Medicaid for more than 500 hours of therapy in a single day.

Patient impersonation (someone using another person's identity to obtain care or controlled substances) exists, but isn't a category federal enforcers highlight in their major takedowns, and the cases that do involve stolen patient identities are overwhelmingly providers misusing records to bill, not strangers turning up at a video visit wearing someone else's name. And where patient data does get stolen at scale, it isn't through unverified faces; it's through breaches of the exact kind of centralized systems Headway is now building. The 2024 Change Healthcare breach alone exposed the records of 192.7 million people. That is the actual threat model for medical identity theft: a for-profit intermediary holding a giant, breachable trove of health data. A clinical psychologist and co-founder of the Psychotherapy Action Network, Linda Michaels, told ClearHealthCosts there is "no valid clinical rationale for biometrics or facial ID. The only rationale is a commercial one."

AI-generated faces on telehealth calls are a different idea altogether. Deepfake fraud is real and climbing fast, but the clearest data on it comes from European banking and payments, not telehealth: a Signicat study shows that deepfakes jumped from 0.1% of all fraud attempts three years ago to 6.5% today. That fits a broader pattern: the most-targeted sectors are finance and crypto, and the high-profile cases are corporate wire-transfer scams. From what I see today, the threat of patients faking their own faces to see their own mental health provider lives mostly in security vendors' marketing. I couldn't find a single documented case of a patient deepfaking a telehealth visit to obtain care. I'd be keen to know if anyone knows of one. And here's the part that should give anyone pause: the security field is already concluding that facial scans don't reliably stop this threat. Gartner projected that by 2026, 30% of enterprises would stop trusting face-biometric verification on its own, because deepfakes and "injection attacks" that bypass the camera entirely defeat it (Gartner). So if the goal is to defend against an attack that mostly isn't happening in telehealth, using a method experts say is already being outrun...what is the point?

There have already been troubling signals for consumers

A few useful nuggets of additional context:

Biometrics are a giant leap from verifying your driver's license

My identity was already verified thoroughly before a single session was ever paid for. For my claims to process, my name, date of birth, member ID, and policyholder all had to match my insurer's records exactly. This is how it has worked at countless doctors' offices for many years.

I asked Headway's customer support what a facial scan establishes that the previous identity verifications did not. The customer support agent agreed that the insurer "already validates demographic details," and framed the scan as an "additional safeguard" confirming the person is "physically present."

When a credit card number leaks, you cancel it and get a new one. You cannot get a new face. Headway's specialist assured me the biometric data is "deleted immediately after the check completes." I believe them, and it doesn't help. Deletion afterward does nothing about the window when the data is collected, transmitted, and sitting on a third party's servers. A breach during that window is permanent in a way no breach of a card number ever is. The exposure happens on the way in, not on the way out.

Of note, Headway didn't seem to be able to tell me apart from my spouse, the insurance policyholder. When I was logged into my own account, the page greeted me by name, as "Karen." The support assistant, in the same session, opened with a greeting for my spouse's name, not mine. The verification emails were addressed to my spouse as well. I'm unconvinced a facial scan magically fixes their record-keeping inconsistencies.

Headway is capitalizing on evolving norms

We're now in a reality where facial and fingerprint verification has already been folded into ordinary life, mostly in forms that feel harmless. Each benign use makes the next, less benign one feel more normalized.

  • Your phone. Face ID and Touch ID unlock hundreds of millions of devices a day. Crucially, Apple keeps that data on the device: the mathematical representation of your face lives in the Secure Enclave, is never sent to Apple, and is never backed up to iCloud or anywhere else. This is what many people think of when they envision a "facial scan," but it's also the exception, not the rule.
  • The airport. CLEAR has turned a face-and-fingerprint scan into a $219/year convenience, with lanes in 62 airports plus stadiums, and it explicitly captures your facial biometrics to "verify You Are YOU." Unlike Face ID, this data goes to a private company and is stored there.
  • LinkedIn. The endless "verify your identity" prompts have worked: more than 100 million members have verified, many by submitting a government ID via CLEAR and Persona.
  • Everything else. Persona also runs age checks for Reddit, Discord, and Roblox, per the digital-rights group Open Rights Group; its growth was bankrolled by Peter Thiel's Founders Fund, the network behind Palantir. And the state is expanding too: a DHS final rule now authorizes facial-biometric collection from all non-citizens entering and exiting the U.S., while age-verification mandates like the KIDS and SCREEN Acts push platforms toward face-based checks.

While Face ID never leaves your phone, this everyday on-device face scan has inoculated us against reacting to the version that actually carries the risk. Here the "scan" is biometric data that ends up on someone else's server, without any real framework that governs how it's kept. Healthcare is a place where it feels especially coercive, because often you can't walk away from your provider and history of care.

Customer support that automates the demand and offloads the labor

Every part of this costs us time, not them. I'm the one who has to read the notification, reach out to my provider, have the provider redirect me to Headway, have Headway only answer questions through a bot, have the bot escalate the question to a human customer support email response, and then, take their answers back to my provider, who then had to check with their internal billing team.

BTW, I tried to get a human on chat instead of Headway's bot, and it refused, twice. When I tried to raise my concern about biometrics collection to the Headway bot, it told me I was wrong. I copy-pasted the Headway email back to it, and that is when it escalated my question to a human email responder. The customer support response was the same as the email: the scan is mandatory ("Yes"), there's no alternative or opt-out, the data is "deleted immediately" (which sidesteps the exposure during collection), and declining restricts features, like booking appointments.

Why are they allowed to require the most sensitive data I own, but route every question through a poorly trained bot? And when I was able to escalate to a customer support agent, they just repeated what was in the email, so there was no real clarity offered.

My provider did the right thing here when I provided Headway's response and they went to Headway directly to get me real answers rather than leave me stranded with the bot. It turns out, my practice uses Headway for billing only, and while Headway has a fuller suite of tools, my provider simply doesn't use them. My practice confirmed that I was "fully verified" without submitting any of this information.

Designed for compliance without questions

Headway's mandate made no distinction between the two use cases. The same blanket facial-scan demand went to patients whose entire relationship runs through the platform and to patients like me, for whom it's just a billing mechanism.

A precise fraud-prevention measure would ask what it actually needs to protect. This asked nothing. It's a broad, undifferentiated collection of someone's most sensitive data, sent to everyone regardless of how they use the service, with no opt-out and no human to appeal to, creating a design that leaves compliance as the only realistic option.

Honestly, my reprieve is luck, not policy, and that's the real problem. Headway could change its policy in a few months, or my provider could start using the rest of Headway's tools, and I'd be in the exact same predicament. The fact that I'm fine today is an accident of how my provider happens to bill, not a protection anyone designed for me. That gap between accident and design is what should worry every patient reading this, not just me, and I feel for anyone truly torn between providing their biometrics or losing care.

What this rollout should have looked like

This could have gone so much better.

Clearer policies and real transparency

The Headway FAQ (and the patient emails) says only that it saves "some data," without specifying what, where, for how long, or who can reach it. A vendor (Persona) most patients wouldn't even know about sits in the middle, unnamed until you dig.

  • What this requires: First, before shipping, have real proof that the feature actually solves the problem, and that a patient facial scan measurably reduces the fraud it's meant to stop (the above data suggests it doesn't).
  • Second, disclose in plain language: which fields are retained, for how long, the vendor's name, and what deletion can and can't do under healthcare retention law.

Opt-out options for providers and clients

"Verify or lose access" is not consent.

  • What this requires: a real alternative, like: a live video check with a staff member, provider attestation, or ID-only verification for low-risk cases. Consent means you have a choice.

Actual customer support channels

There was no support email or messaging available, even when a user is logged-in to the Headway platform. The only customer support tool available is a bot that gives factually wrong answers about the very data being collected, and only escalates after you quote the company's own email back to it. Customer support reps provided no further clarity.

  • What this requires: an actual accessible email address, a monitored contact channel specifically for privacy questions, and an easy to opt-out-of bot experience, and if you're going to offer chatbot interactions, ensure that it says "I don't know, let me route you" instead of confidently misinforming you.

The communication to clients and providers

Bifurcated comms depending on use case: no distinction between a patient whose whole relationship runs through Headway and one for whom it's just a billing tool.

  • What this requires: scope the ask to the use. Collect the most sensitive data only where the risk it addresses actually lives. Empower your provider customers with real guidance and information for when patients inevitably have questions.

We need regulations that actually protect patients

Biometric law in the US is a patchwork with holes exactly where a patient like me falls through. Illinois' BIPA is the strongest with real penalties, and the right to sue, but its health care exception excludes biometric data collected for "treatment, payment, or operations" under HIPAA (Illinois Supreme Court, Mosby, 2023), which is exactly how Headway frames this scan. Texas' CUBI covers face geometry but lets only the state attorney general enforce it (Texas AG), a patient can't. Washington's My Health My Data Act was built precisely for health data that falls outside HIPAA and lets consumers sue (WA AG), but it's brand new, largely untested in court, and only helps Washingtonians. So depending on where you live, the law protecting your face ranges from "carved out" to "can't enforce it yourself" to "doesn't exist." The honest solution here is the creation of a federal floor for biometric data collection, with no health-billing loophole and a private right of action, so protection doesn't depend on your zip code or on an attorney general deciding to care. Until then, the burden falls on platforms to not collect what the law hasn't yet forced them to protect.

My face is not actually protected by policy, either by the companies or by the government, and neither is yours. Handing your biometric data to a private company should never be the price of medically necessary care. I can get a new card, a new password, a new member ID, but I get only one face, and I'd like to keep it off their servers.

The newsletter

Don't miss a post

Sharing thoughts once or twice a month. I care about product, power, data privacy, ethical AI, and art & culture. No spam, unsubscribe anytime.