Reporting Highlights
- Strings Attached: U.S. officials are demanding access to the health data of millions of Africans as a condition of giving billions of dollars in lifesaving aid to African countries.
- Privacy Concerns: Experts said the deals are vague and lack standard language to guard personal data from being exposed, misused or commercialized without people’s consent.
- America First: The U.S. said it needs access to the data to keep people safe and that it will be anonymized. The deals are part of a plan to use aid to make America “more prosperous.”
These highlights were written by the reporters and editors who worked on this story.
Frank Ssekamwa says the United States presented his country with an impossible choice. If it accepted the terms of a new health agreement, Uganda would have to give the U.S. access to the data of millions of his fellow citizens — a decision he worries would make their personal information more vulnerable to breaches and possible exploitation.
But if it refused, the East African nation would likely lose out on more than a billion dollars to address HIV, malaria, tuberculosis and other illnesses, even as its people face ongoing threats from Ebola and other deadly infectious diseases.
So, on Dec. 10, it agreed.
“If you take the deal, you’re going to be exploited. If you don’t take it, you’re going to die,” said Ssekamwa, an attorney and digital rights expert in Uganda. “It’s the essence of digital colonialism.”
Across Africa, countries have faced similar dilemmas as the U.S. has held a series of closed-door negotiations in which lifesaving aid has been conditioned on access to citizens’ health data. The negotiations come in the wake of the dismantling of the U.S. Agency for International Development, which — in contrast with the new contracts — provided billions of dollars in aid with few strings attached. Officials in Zambia, Zimbabwe and Ghana have been so outraged by the demands that they rejected the initial deals.
The demand to access health data is central to the Trump administration’s new America First Global Health Strategy, an openly transactional approach that seeks to leverage the desperate need for medical treatments abroad. Aid will now be given “in a way that directly benefits the American people and directly promotes our national interest,” Secretary of State Marco Rubio stated in September.
The State Department declined to publicly release global aid and data-sharing agreements it has signed with more than 30 countries as part of its new approach. But a ProPublica analysis of nine of the deals offers a window into the extensive U.S. demands for access to data — and the potential risks and vulnerabilities for the citizens of countries that have signed them. ProPublica also reviewed a data-sharing agreement struck with Uganda, which has not previously been reported; a data agreement with Kenya; six agreements over the sharing of pathogens that can cause pandemics that were made public by the State Department this week; generic templates of deals for sharing both data and pathogens that can cause pandemics; and an analysis of the documents the advocacy group Public Citizen shared exclusively with ProPublica.
ProPublica also consulted more than a dozen experts in data privacy and global health, including several with direct knowledge of U.S. policy who said that the insistent demands for data access and other resources as a condition of aid are unprecedented. Without seeing the full suite of agreements, they could not identify all vulnerabilities. But they spotted some red flags: The terms of the deals are vague and lack language standard in most data-sharing agreements that adequately limits what data is collected and how it can be used. That increases the risk that individuals’ personal data could be exposed, misused or commercialized without their consent.
In the Ugandan data deal, the U.S. will get direct, real-time access to nine of the nation’s health data systems for seven years, including the central repository that stores all of its health information, lab data, data collected by community health workers and, critically, its system for managing individuals’ electronic medical records. The agreement calls for the sharing of aggregated data with all personally identifiable information removed. It also says the data should be used for delivering and auditing healthcare services.
But lawyers and digital privacy experts argue that the deal raises questions about who will have access to the massive cache of health data and whether it could be inappropriately accessed and exploited.
Some expressed concern that, because it is possible to reverse-engineer data that has been anonymized, people with HIV, tuberculosis and other diseases could have their records exposed.
Stephanie Psaki, who served as the U.S. coordinator for global health security under President Joe Biden, described the Trump administration’s approach as a “blunt instrument of ‘just give me the login to your data systems.’”
“The U.S. would never agree to that,” she said, if the deal were offered in reverse.
In Uganda, the U.S. will provide up to $1.7 billion over five years for global health security and the treatment and prevention of deadly conditions such as malaria, tuberculosis, HIV and polio. In the past, the U.S. gave this aid without asking for direct benefits in return, saving an estimated 170,000 Ugandan lives per year.
While a significant investment, it is less than the U.S. previously spent in Uganda and will decrease every year of the agreement. By 2030, the African nation will receive 45% less global health funding than when Trump retook office, according to an analysis by Vincent Lin of Partners in Health, which provides healthcare in poor countries.
Several experts said there is broad support for some of the goals of the new plan for aid, including reducing African countries’ dependence on the U.S. for healthcare needs. But they worry the transactional nature of the approach could backfire by undermining trust or, in some cases, driving nations to reject deals altogether.
After withdrawing from the World Health Organization and losing access to its global network that tracks and combats disease outbreaks, the U.S. is attempting to obtain the information necessary to address potential pandemics through a patchwork of deals with individual countries. Each of the agreements ProPublica reviewed includes a section on responding to outbreaks. And some countries have signed separate pathogen-sharing agreements, which state that countries must “initiate sharing specimen(s) and related data” within five days of a U.S. request. The Trump administration is also planning unprecedented involvement of private companies to manage and process data.
The State Department told ProPublica that it needs access to the data to improve health outcomes in recipient countries and keep Americans safe. The new approach also requires countries to invest more in their own health systems in exchange for the aid, a promise many countries will likely struggle to fulfill. And, in some cases, including the deal with Uganda, it aims to boost local manufacturing through partnerships with American companies.
The State Department said it took multiple factors into account to ensure the required investments from other countries were “realistic and achievable.”
“The United States is investing billions of dollars in other countries’ health systems to fight infectious disease. In return, we expect governments to increase their own spending on health, so programs are sustainable and under genuine national ownership, not permanently financed by U.S. taxpayers. For the first time, both sides are putting skin in the game to ensure lasting impact,” a State Department spokesperson said in response to questions about the agreements.
In response to follow-up questions from ProPublica, spokesperson Tommy Pigott said the agreements “share only the same kinds of aggregated, de-identified data that has been shared and used for years in the fight against HIV/AIDS, malaria, tuberculosis, and other diseases. All data sharing is consistent with each country’s laws and approvals. No personally identifiable information is being received or shared by the United States government.”
Uganda’s Ministry of Health, Ministry of Foreign Affairs, Personal Data Protection Office and embassy in Washington, D.C., did not respond to questions for this article.
In the age of artificial intelligence, large health data sets have become so valuable they’ve been referred to as the new gold. The precise value of the health data of an entire nation is unclear, but it could be extremely valuable to AI-driven companies for training models. The industry of buying and selling such information troves is worth billions. And countries around the world have come to regard their citizens’ health records as national assets that deserve special protections and can confer economic and strategic advantages.
Yet the agreements, which are part of a strategy the State Department openly states is intended to make America “more prosperous” and “promote American health innovations,” provide no guarantee that Africans subject to them will have a say in what happens with their data or receive a fair share of its benefits. “Once companies get this data, the value is being accrued. But there’s no way for the [African] population to know how companies will use it,” said Jane Munga of the Carnegie Endowment for International Peace, who has argued that the agreements may violate African privacy laws.
Africans have also expressed concern that they will not be able to access and benefit from medicines and vaccines developed from pathogen samples shared with the U.S. Five of the six specimen-sharing agreements reviewed by ProPublica state that, in the event that a medical product is developed primarily from a specimen from the country, the U.S. government “shall prioritize” a request from that government behind the needs of the U.S. Only one of the agreements, with Nigeria, commits the U.S. to facilitating “priority access” to — and the donation of — any medical products developed using the specimens.
The phenomenon of extracting information and samples from less-resourced populations and failing to credit and compensate them for their contributions to medical developments is well known enough to have several names, including “parachute science.” Just a few years ago, countries, including some in Africa, hosted COVID-19 vaccine trials, only to later struggle to access the shots they helped to develop.
Each agreement includes “benefit-sharing provisions,” the State Department said in response to questions.
After the Trump administration dismantled USAID, the world’s largest provider of humanitarian assistance, it also drastically reduced funding for international health work done by the Centers for Disease Control and Prevention and severely scaled back the President’s Emergency Plan for AIDS Relief, which combats HIV globally. In addition to withdrawing from the WHO, the U.S. removed itself from international negotiations over a pandemic agreement intended to affirm countries’ sovereign rights to their biological resources and ensure equitable access to medical interventions.
Brad Smith, an entrepreneur who served in the first Trump administration, is now in charge of creating the system that would rise from the ashes. Before joining this administration, Smith founded three companies with business models that rest in part on using data to reduce healthcare costs, including CareBridge, a home care provider that sold for a reported $2.7 billion in 2024. During the presidential transition that year, Smith led the government efficiency panel that would become Elon Musk’s Department of Government Efficiency. After Trump took office, he presided over some $67 billion in sweeping cuts to the Department of Health and Human Services before being brought on as an adviser to the State Department.
Although the humanitarian aid system had been largely dismantled, Congress required the executive branch to continue providing aid. So Smith and his team had to find new ways to get the funding to countries, ensure that it was being spent wisely and address potential pandemics — all without most of the international partners and staff the government had previously relied on to carry out this complex work.
A Rhodes scholar known for his intense work ethic, Smith threw himself into the effort. State Department staff fielded calls from him at all hours of the night to explain budget items on spreadsheets. Through his personal lawyer, Smith referred questions to the State Department.
One of the greatest challenges lay in the handling of health data. In the past, PEPFAR, the HIV program, built its own systems to handle anonymized data, separate from government health records — a setup that Trump administration officials and others have criticized as inefficient.
The America First plan proposed standardizing data collection and processing within countries. The Ugandan data agreement requires the country to provide the U.S. — and its contractors — with logins “or other secure access mechanisms” to directly enter the country’s data systems. The new approach, U.S. officials say, will enable the U.S. to continue auditing programs and track outbreaks.
The agreements ProPublica reviewed include statements about the U.S. government’s intent to ensure data security and say that the data is being accessed for the purposes of addressing diseases and auditing that work, but they leave open the possibility that sensitive information could be revealed, according to the data privacy experts ProPublica consulted.
At particular risk are countries that don’t have national data privacy laws, such as Liberia, whose memorandum of understanding requires “interlinked and interoperable” data systems for “surveillance, laboratory, response, health, environment, agriculture.” That country’s main health agreement doesn’t require the U.S. to limit the amount of data it takes to the least needed, a standard clause in U.S. contracts, according to Abdoul Jalil Djiberou Mahamadou, a recent postdoctoral fellow focusing on bioethics at Stanford University. (Neither Liberia nor the State Department has released the supplemental data-sharing agreement.) “Once data is breached, it’s nearly impossible to get it back,” Mahamadou added.
The Liberian government did not respond to a request for comment.
The Ugandan data-sharing agreement says it will comply with the laws of both nations and permits the sharing of “sensitive personal data” if the consent of individuals whose data is shared is obtained, there is a compelling public health emergency of international concern and it is the only way information can be provided in a “timely and accurate format.”
Ssekamwa, the digital rights expert who also founded and runs the African Centre for Digital Justice, said there are important questions that haven’t been answered by the Ugandan government.
“Does the U.S. have appropriate data protections? Can the systems provide anonymized data? Are they really up to that standard?” said Ssekamwa. “If I’m someone who has had health issues, can you deny me a visa because of the health issues I’m having?”
Psaki, the former global health security coordinator, worried about the haste with which the changes to data access are happening. “Even in the best of circumstances, you can’t go from having parallel data systems that were established over 20-plus years to finding some way to integrate those data systems in six months.”
Speed has been a hallmark of the America First global health effort. In September, just a month after Smith joined the State Department, it launched the strategy at an event co-sponsored by the U.S. Chamber of Commerce and five large pharmaceutical companies. By November, Smith was crisscrossing the African continent with a small team of negotiators, trying to persuade dignitaries to agree to deals.
The State Department said the deals were “negotiated in a thoughtful and strategic way over many months.”
On Dec. 4, Kenya became the first country to sign, during a triumphant celebration with Rubio and President William Ruto in Washington. Outcry over the agreement had already begun two days earlier, when a Kenyan activist named Nelson Amenya announced on the social platform X that he had seen a sample of the specimen-sharing agreement as well as a legal analysis that showed it would violate Kenyan law.
As a condition for receiving $1.6 billion in aid, the Kenyan government agreed to provide access to seven years’ worth of health records — two years longer than the U.S. would provide financial support.
Although the Kenyan data-sharing agreement states that the U.S. will take “all reasonable measures to protect the confidentiality of information” and abide by American and Kenyan laws, Amenya worried that wouldn’t be enough. “Every HIV test, TB diagnosis, malaria case – accessible to US officials,” he wrote in the post, which now has one million views. “Your medical records, your children’s health data – all exposed.”
A few days later, a Kenyan senator named Okiya Omtatah sued members of the Kenyan government over the agreement, arguing that it poses a threat to citizens’ constitutional right to privacy by “allowing broad foreign access to sensitive data.” A Kenyan nonprofit also sued, and more than 50 groups weighed in on their side, describing the document as giving the U.S. “excessive access” to African data and raising the possibility of serious human rights violations.
In court filings, the Kenyan government argued that it is obligated to achieve the “highest attainable standard of health” and that it is unable to do that on its own. After blocking the deal for months, in May, the Kenyan court temporarily allowed implementation of the agreement to proceed while it considers the case.
Since outrage bubbled up in Kenya, some other countries have negotiated shorter terms for sharing data and pandemic specimens, and have inserted additional protections, according to the Public Citizen analysis.
Still, groups across Africa have sounded alarms about dangers inherent in these provisions, including data breaches. Examples of such unauthorized access to personal data abound, including a recent case where the healthcare data of some 500,000 participants in the UK Biobank wound up listed for sale on the Chinese website Alibaba.
Revealing whether someone has had an abortion, mental health condition, substance use treatment or sexually transmitted disease can be devastating anywhere. In Africa, research has shown it can lead to discrimination and violence. And even when personal information has been removed, individuals in “anonymized” data can be reidentified using AI and other tools.
The Ugandan data-sharing agreement calls for the U.S. government to “promptly notify the Government of Uganda of any unauthorized access” in such cases and requires the parties to conduct a joint breach assessment and remediation plan afterward. But by that point, it may be too late, Ssekamwa fears. “Once the data gets out of Uganda, we are skeptical that the government of Uganda will actually have any power to control it,” he said.
The secrecy around both the negotiations and the agreements has raised further suspicions. The State Department has declined to share the agreements, telling ProPublica the agency will release them when negotiations with all partner governments are complete and describing its actions as “protecting sensitive negotiations—not ‘secrecy.’” In response to a public records request filed by ProPublica, the State Department said it planned to provide the documents in September 2027. The advocacy group Public Citizen recently filed suit against the federal government in an effort to obtain the documents.
“Why are they hiding the agreement if they think the terms are OK?” asked Bernard Okpi, a Nigerian lawyer who sued his government in March, alleging that the deal violates the country’s constitutional right to privacy and promotes religious discrimination by prioritizing funding for Christian faith-based health facilities. That suit is pending, and the Nigerian government did not respond to questions from ProPublica.
The State Department said that the agreement with Nigeria “was negotiated in connection with reforms the Nigerian government has made to prioritize protecting Christian populations from violence.”
The Trump administration says that its new global health strategy is designed to save lives and keep the U.S. — and the world — safe from disease outbreaks. But ultimately its hard-driving and secretive negotiations may work against those goals.
While the administration aspired to strike agreements with 50 nations, including the three countries that walked away from negotiations in part over concerns about data sharing, it has fallen far short of that number. (In Zambia, officials also balked at U.S. demands for critical minerals.) The loss of aid in those countries is already proving to be devastating.
Despite the Trump administration’s stated goal of putting “America first,” the U.S. may feel the consequences of those failed negotiations, too, as mistrust compounds the loss of long-standing systems that provided care and responded to disease outbreaks.
“It’s in everyone’s interest to have a comprehensive approach to respond to an outbreak early,” said Psaki, who pointed to the quickly escalating number of Ebola cases in the Democratic Republic of Congo as evidence. While that country struck a healthcare deal with the U.S., five of the nine countries bordering it have not. “We need to get data and samples from all nine countries to collaborate effectively on that outbreak, and now we don’t have that.”
The State Department said the U.S. has responded swiftly to the outbreak and has provided over $270 million to the global fight against Ebola.
In Uganda, where people have also fallen sick and died from Ebola, Ssekamwa said that his country needs all the help that the healthcare deal can bring, including improved protection from outbreaks, but there needs to be more robust protection of people’s personal data.
“We are happy to benefit from the technological advancement and the fruits of big data,” he said. Instead, he said, “the U.S. has left so many gaps within the agreement, which can be exploited in their favor.”
