Despite recent efforts to address the issue, medical-related websites continue to be mined for data including personal medical information, in an apparent violation of patients’ privacy rights, according to a new study.
Some of the most common tracking pixels were from Alphabet Inc.’s Google, Microsoft Corp., Meta Platforms Inc. and ByteDance, the parent company of TikTok, according to a report by the cybersecurity company Feroot Security.
Feroot analyzed hundreds of health-care and telehealth websites and found that more than 86% are collecting and transferring data without obtaining consent from the user. More than 73% of login and registration pages have trackers, exposing personal health information.
About 15% of the tracking pixels identified by Ferootread and collect a user’s key strokes, meaning they could identify Social Security numbers, names, email addresses, appointment dates, IP addresses, billing information and even a medical diagnosis and treatment, according to the report.
The trackers place a small piece of code on a website and record how a user interacts with the page. Then, the tracker sends a packet of information on the user back to the tech company. The data collected can inform website analytics, marketing campaigns and ad targeting. It can also be transferred out of the US if the host company is based in another country.
If personal health information is collected through a tracker or third party without a user’s consent, it would represent a violation of the Health Insurance Portability and Accountability Act, known as HIPAA, according to Feroot Chief Executive Officer Ivan Tsarynny. Personal health information can include everything from current mental or physical health conditions to billing information.
Representatives for Facebook, Google, and Microsoft denied the use of their tracking pixels for collecting sensitive data. A spokesperson for Google said the site owners, not Google, are in control of how information is collected and that the site must inform users about any data collection. Google’s third party analytics policy prohibits customers from collecting protected health information for advertising.
A spokesman for Facebook said any use of sending sensitive data through business and analytics tools is against company policy and added the system is designed to filter out sensitive data. TikTok didn’t respond to a request for comment.
“While tech companies do have policies that talk about protecting health info, the real-world application of these policies is a different story,” Tsarynny said in an email.
The report doesn’t point to specific websites or instances from which medical information was mined. The health-care companies are responsible for protecting personal health data from disclosure to third-party websites, according to a statement from the US Department of Health and Human Services.
Iliana Peters, data privacy attorney at the law firm Polsinelli PC, said the web pages that require a login pose a larger concern since personal data is exposed to a third party, setting up potential privacy lawsuits if the user didn’t grant consent.
Feroot’s report also says its researchers found TikTok’s analytics tracker on some websites. The US government and 38 states have enacted a ban or a partial ban of the popular app on government devices, according to a Bloomberg Law article from May.
In addition, more than 4% of the health websites analyzed by Feroot loaded tracking tools or transferred patient data to companies banned by federal and state executive orders.
Feroot’s study follows other news stories or lawsuits that sought to highlight or address the issue. For instance, a 2022 investigation by The Markup found the Meta pixel tracker on the websites of a third of the top 100 hospitals in the US. That tracker then sent patient data from those sites to Facebook, the investigation found.
In December 2022, HHS released guidance on tracking technologies and HIPAA compliance. For instance, health-care companies and organizations aren’t permitted to use tracking technology if protected health information could be disclosed to the third party, according to HHS’s guidelines.
Since then, litigation has increased over information sharing, including from the Federal Trade Commission and state Attorneys General offices, according to Nixon Peabody LLP attorney Valerie Montague.
In July, HHS and the FTC sent letters to 130 health-care organizations alerting them of potential data disclosures to trackers and the risks of using Google and Facebook trackers. Health-care companies are responsible for monitoring the transfers of health data, according to FTC guidance released in March.
Was this article valuable?
Here are more articles you may enjoy.
JPMorgan Client Who Lost $50 Million Fortune Faces Court Setback 
Jury Awards $80M to 3 Former Zurich NA Employees for Wrongful Termination 
Chubb Wins Latest Battle With New York Diocese in Bid to Avoid Sex Abuse Claims 
North Carolina Adjuster and Son Charged With Embezzlement in Roof Jobs 
