How journalists discovered that some telehealth startups share affected person data with social media trackers

In September 2022, I wrote about how journalists with The Markup discovered that many hospital web sites have been sharing sufferers’ medical data with Fb via a monitoring software known as the Meta Pixel. Then in December, the U.S. Division of Well being and Human Companies introduced that entities coated by HIPAA can’t use pixel trackers in the event that they transmit protected well being data with out affected person consent or in the event that they don’t have a signed settlement with the technology-tracking distributors, Becker’s Well being IT reported.

In a follow-up story printed in December, The Markup/STAT investigative crew discovered that web sites run by dozens of telehealth startup corporations additionally contained monitoring instruments that shared customers’ doubtlessly delicate well being data with huge tech organizations.

Of fifty direct-to-consumer telehealth companies they evaluated, 13 had at the least one tracker that collected sufferers’ solutions to medical consumption questions, and 25 informed at the least one huge tech platform {that a} consumer had added an merchandise like a prescription medicine to their cart, or checked out with a subscription for a remedy plan. And 49 out of fifty companies despatched URLs that customers visited on the location to at the least one tech firm. The trackers discovered right here weren’t simply Fb’s Meta Pixel however extra trackers from Google, Bing, TikTok, Snapchat, Pinterest, LinkedIn and Twitter.

As a part of their investigation, crew members arrange pretend accounts and accomplished consumption types. To see what knowledge was being shared, they examined the community site visitors between trackers utilizing Chrome DevTools, a software constructed into Google’s Chrome browser. There they discovered that trackers on one website, for instance, despatched responses about self-harm, drug and alcohol use and private data equivalent to a consumer’s identify, e mail handle and telephone quantity to Fb. It’s so far unclear what the businesses receiving such data are doing with it.

In a brand new “How I Did It,” Katie Palmer of STAT with Todd Feathers and Simon Fondrie-Teitler of The Markup describe how they received the story and what stunned them most.

Responses have been frivolously edited for brevity and readability.

How did you get the concept to look into telehealth corporations?

Palmer: I’ve been monitoring direct-to-consumer well being care corporations for about six months at STAT, and began noticing a proliferation of quizzes and surveys gathering medical data. The Markup had achieved nice work displaying the knowledge despatched by way of trackers on hospital websites, and I puzzled if the identical was the case right here. I used their Blacklight software to do a preliminary evaluation of a few of these telehealth web sites and noticed approach greater than common numbers of trackers showing on a number of of them. That’s once we reached out [to The Markup] and arrange a extra formal collaboration to see what data may truly be collected by these trackers.

How did you select which telehealth corporations to focus on?

Palmer: We wished to deal with direct-to-consumer websites, not telehealth websites you’ll be directed to by your current supplier. Typically, they’re ones that target subspecialties of care, like migraine or reproductive well being, prescription-focused for essentially the most half. We didn’t wish to use telehealth corporations that supplied main care, pressing care or extra complete care, with the concept being that the extra particular your goal as a affected person, and your considerations that you just’re going to those corporations for, may doubtlessly enhance the chance to the affected person by way of publicity of their well being data.

This investigation discovered extra than simply the Meta Pixel tracker you reported on earlier, together with ones from Google, TikTok and different social media apps. Was that stunning?

Feathers: I suppose it shouldn’t have been that stunning, however I wasn’t anticipating Pinterest or LinkedIn trackers, for instance, on these websites, and even the TikTok ones. We didn’t begin out to go in search of them. We have been simply taking part in round on these websites and began to see that quite a lot of them have been sending data to those varied platforms.

Fondrie-Teitler: After we have been doing the hospital article, we observed the presence of a few of these others, particularly Google Analytics, nevertheless it was out of scope for that story. After we went again in, we have been very enthusiastic about all of those. Among the ones that have been there I hadn’t thought of, or hadn’t thought of as being huge within the promoting house, LinkedIn particularly. Pinterest I do know is huge however not within the worlds that I’m in, in order that was considerably stunning to me. I believe they received added [to the sites] the identical approach all of those different trackers received added, which for advertising-focused ones, is that they wished to promote on these platforms, and it is a step that the platforms push you to do in an effort to observe conversions and see how advertisements are performing. Or they need analytics and so they’ve put some trackers in.

Palmer: What was stunning to me was not the trackers being there however the degree of element being despatched by a few of them. The identical degree of detailed data was being despatched by the Meta Pixel as a few of these different trackers.

Fondrie-Teitler: There are particular items of knowledge set as much as be despatched, rather more so than we noticed with hospitals. With the hospitals, there may be some default data that the Meta Pixel will ship to Fb and if you happen to don’t change something about that, a set of issues will get despatched. On this case, it appeared like somebody or some piece of software program had configured the varied pixels to specs and data above the default.

What have been you most alarmed by once you have been reporting this story?

Feathers: For me it was the lack of awareness on the a part of all these telehealth corporations about what they have been truly doing on their web sites, not solely the truth that they put in these trackers, and the trackers have been gathering medical data, however once we got here to those corporations, we offered them with actually detailed findings, together with screenshots and descriptions. We had to return a few occasions and clarify to them that no, the knowledge you’re sending will not be nameless and it doesn’t forestall corporations from connecting it to consumer profiles.

Palmer: I didn’t anticipate to see these actually detailed solutions being despatched in full in some instances, and on prime of that, sufferers not essentially realizing that their data is being shared this fashion. The privateness insurance policies for every firm normally say that sharing is occurring, however our sources expressed excessive skepticism that any common shopper or affected person understands that if it says it’s HIPAA-compliant, that doesn’t imply the medical data they’re sharing isn’t uniformly protected.

Fondrie-Teitler: The opposite factor that stunned me is…how these corporations are structured. The positioning that you just go to is one entity, and there are subproviders arrange simply to cope with operating the web site. Due to varied state legal guidelines, advertising and offering care are break up up into a number of entities, and that has HIPAA implications.

What cautions would you provide folks utilizing these websites?

Palmer: It’s actually a benefit-risk calculation that everyone must run themselves. Folks do have to entry care shortly, simply and extra affordably, and these websites in lots of instances do provide that. … We’d like higher top-down approaches, regulatory or in any other case, to guard data on-line in a extra clear and comprehensible approach so folks could make that knowledgeable choice.

Fondrie-Teitler: Some browsers do a greater job of decreasing the extent of monitoring. Firefox and Safari will block or cease sure sorts of monitoring from taking place by default. There are additionally add-ons you add to your browser. uBlock Origin is an advert blocker that additionally comes by default with some blocking capabilities. Privateness Badger is an extension that may particularly block sure sorts of monitoring. Browsers like Courageous and DuckDuckGo are extra targeted on privateness.

Karen Blum is AHCJ’s core matter chief on well being IT. An impartial journalist within the Baltimore space, she has written well being IT tales for publications equivalent to Pharmacy Apply Information, Medical Oncology Information, Gastroenterology & Endoscopy Information, Common Surgical procedure Information and Infectious Illness Particular Version.