It looks like telemental and addiction counseling telehealth sites are routinely sending patient information to media ad platforms–Google, Facebook (Meta), TikTok, Microsoft, Snapchat, Bing, Pinterest, and Twitter–to serve ads back to patients. Four Senators sent letters this week to three telehealth companies treating patients: Monument (alcohol addiction), Workit Health (opioid and alcohol), and Cerebral (ADHD and other mental health). The letters questioned the use of ad trackers (pixels) such as Meta Pixel that collect information from telehealth sites and then use the information to send users targeted ads based on that information. Except that this is not about curtains or shoes, but medical treatment.
- 49 of 50 websites shared user/patient tracking data to advertising platforms. This captured data as routine as URLs and IPs, and as extensive as name, email, phone, questionnaire answers, when users created accounts, and cart behavior, such as a prescription medication or treatment plan.
- 35 were found by the study to have trackers sending individually identifying information to at least one media platform that included names, email addresses, and phone numbers
- 25 had at least one tracker that indicated when users added prescription drugs and other items to their cart or when they checked out with a subscription for a treatment plan
- 13 had at least one tracker that collected patients’ answers to medical questions
Ad trackers then send that information to platforms, which then serve targeted ads back to the telehealth companies’ users and patients. For the telehealth companies, the data is monetized. Because ads are served, there is a revenue stream back to the telehealth companies.
From the senators’ letter: “This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally.” Markup/STAT
Users may well assume that because the telehealth companies eventually connect them to a provider covered by HIPAA, or sends them a prescription from a provider, such as migraine treatment, that their data is protected along the entire journey. That assumption has now been demonstrated to be incorrect. This included major, heavily advertised DTC providers such as Lemonaid, Keeps, Hims & Hers, Talkspace, and Roman (Ro). Many of them are now examining their pixel policies.
The December article linked above has all 50 companies and what information they found was sent to ad platforms. The only website that did not was Amazon Clinic–brand new and of course not wanting to share their information outside of Amazon.
This follows on the FTC’s still to be approved by a Federal court, but apparently successful $1.5 million action against med discounter GoodRx using the never-used-before Health Breach Notification Rule, enacted in 2009 [TTA 3 Feb].
Why this is significant: first, the FTC action using an old rule, followed by the senators targeting three prominent (and in Cerebral’s case, beleaguered) telehealth companies, and the red meat documentation provided by The Markup/STAT study provide grounds for endless follow-up by not only Congress, but also private and public (DOJ) litigation. Stay tuned.