Ad tracker action heats up: Congress questions DTC telehealth companies on sensitive patient health data sent to advertisers

February 9, 2023 | by

It looks like telemental and addiction counseling telehealth sites are routinely sending patient information to media ad platforms–Google, Facebook (Meta), TikTok, Microsoft, Snapchat, Bing, Pinterest, and Twitter–to serve ads back to patients. Four Senators sent letters this week to three telehealth companies treating patients: Monument (alcohol addiction), Workit Health (opioid and alcohol), and Cerebral (ADHD and other mental health). The letters questioned the use of ad trackers (pixels) such as Meta Pixel that collect information from telehealth sites and then use the information to send users targeted ads based on that information. Except that this is not about curtains or shoes, but medical treatment. 

Kicking this off was The Markup/STAT study in December, examining 50 telehealth websites.

  • 49 of 50 websites shared user/patient tracking data to advertising platforms. This captured data as routine as URLs and IPs, and as extensive as name, email, phone, questionnaire answers, when users created accounts, and cart behavior, such as a prescription medication or treatment plan.
  • 35 were found by the study to have trackers sending individually identifying information to at least one media platform that included names, email addresses, and phone numbers
  • 25 had at least one tracker that indicated when users added prescription drugs and other items to their cart or when they checked out with a subscription for a treatment plan
  • 13 had at least one tracker that collected patients’ answers to medical questions

Ad trackers then send that information to platforms, which then serve targeted ads back to the telehealth companies’ users and patients. For the telehealth companies, the data is monetized. Because ads are served, there is a revenue stream back to the telehealth companies. 

From the senators’ letter: “This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally.” Markup/STAT

Users may well assume that because the telehealth companies eventually connect them to a provider covered by HIPAA, or sends them a prescription from a provider, such as migraine treatment, that their data is protected along the entire journey. That assumption has now been demonstrated to be incorrect. This included major, heavily advertised DTC providers such as Lemonaid, Keeps, Hims & Hers, Talkspace, and Roman (Ro). Many of them are now examining their pixel policies.

The December article linked above has all 50 companies and what information they found was sent to ad platforms. The only website that did not was Amazon Clinic–brand new and of course not wanting to share their information outside of Amazon.

This follows on the FTC’s still to be approved by a Federal court, but apparently successful $1.5 million action against med discounter GoodRx using the never-used-before Health Breach Notification Rule, enacted in 2009 [TTA 3 Feb]. 

Why this is significant: first, the FTC action using an old rule, followed by the senators targeting three prominent (and in Cerebral’s case, beleaguered) telehealth companies, and the red meat documentation provided by The Markup/STAT study provide grounds for endless follow-up by not only Congress, but also private and public (DOJ) litigation. Stay tuned.

Facebook Meta Pixel update: Nemours Children’s Health using 25 ad trackers on appointment scheduling site

June 21, 2022 | by

The Meta Pixel tracker study gets a little worse–this time, it’s information on appointments for children. The Markup’s investigation on healthcare use of ad trackers continues with an examination of Nemours Children’s Health, a Delaware-based multi-state health network with 97 locations in Delaware, Pennsylvania, New Jersey, and Florida that serve about 500,000 families. Once again, Meta Pixel and other ad trackers were found to capture personal information and patient/family details entered by an adult on the appointment scheduling site to Facebook that may constitute protected health information.

Meta Pixel was recorded as tracking:

  • IP addresses
  • Scheduled doctor and his or her specialty
  • In some cases, the first and last name of the child being scheduled

It is not this information alone, but in combination with other information that Facebook possesses, that can profile any user’s health conditions, link specific conditions to individuals and parents, and thus constitute a privacy violation. IP addresses are one of the factors that HIPAA cites as when linked to other information, create a violation.

The Markup used a tool called Blacklight to scan Nemours’ websites.

What was Nemours thinking in building their website? In addition to Meta Pixel, the scheduling site is riddled with 25 ad trackers and 38 third-party cookies. These are coded in by Facebook, Amazon, Google, and The Latest Healthcare Transformer, Oracle. Oracle claims it has healthcare data on 80% of US internet users, and one can assume this is how they get it. Ad platforms MediaMath and LiveRamp also captured data. The Markup’s team could detect the trackers, but not determine what information these ad trackers were capturing. 

In addition to the trackers on the scheduling site, Blacklight picked up a session recorder from Mouseflow. This is code that can potentially track what people click on a page. Mouseflow states on its Legal Hub that in order to transmit HIPAA-protected information to a third party, a business associate agreement (BAA) must be in place. Mouseflow did not confirm a BAA agreement to The Markup, but in a statement to them insisted that Mouseflow does not permit the transmission of PII or PHI and masks that information.

Not all health data transmitted constitute HIPAA violations, but capture of appointment scheduling information is right on the line of HIPAA violations, though not 100% conclusive.

Elsewhere on the Nemours website, there were nine ad trackers and ten third-party cookies. 

Even after they were notified by The Markup, Nemours persisted in using Meta Pixel. While many of the trackers on the scheduling site were removed, trackers from Facebook, Google, and Salesforce remained. Facebook’s Meta Pixel was removed after last week’s story.

This is certainly another gap between the suits in the suites and the IT/developers rowing in the galley.

Breaking: Hospitals sending sensitive patient information to Facebook through website ‘Meta Pixel’ ad tracker–study

June 17, 2022 | by | 2 Comments

Meta Pixel tracker sending appointment scheduling, patient portal information to Facebook–likely to become the Hot Story of next week. A study published jointly by The Markup and STAT examined the patient-facing areas of Newsweek’s 100 leading hospitals’ websites. It found that 33 of them permit the Meta Pixel ad tracker to send sensitive patient information back to Facebook. Ostensibly the reason is to better serve the patient with more tailored information, but what is not disclosed is what else Facebook is doing with the information. At a minimum, the information is the IP address–which HIPAA considers one of 18 identifiers that when linked to other personal information, can constitute data as protected health information.

Ad trackers like the Meta Pixel are used to target website visitors and also to track ads placed on Facebook and Instagram. Developers routinely permit these snippets of code as trackers for better performance and website tracking.

  • For 33 hospitals, the Pixel tracker is picking up and sending back to Facebook information from users of the hospital’s online appointment scheduler: the user’s IP, the text of the button, the doctor’s name, and the search term. In testing the sites using a team approach facilitated by a plug-in called Mozilla Rally, the testers found that in several cases, even more identifiable patient information was being sent: first name, last name, email address, phone number, zip code, and city of residence entered into the booking form.
  • Seven hospitals have the Pixel deep into another highly sensitive area–the password-protected patient portal. These go by various names, but a popular one is Epic’s MyChart. One surveyor found that for Piedmont Healthcare, the Pixel picked up the patient’s name, the name of their doctor, and the time of their upcoming appointment. For Novant Health, the information was even more detailed: name and dosage of medication in our health record, notes entered about the prescription about allergic reactions, and the button clicked in response to a question about sexual orientation. (Novant has since removed the Pixel.)

None of the hospitals using the Pixel have patient consent forms permitting the transmission of individual patient information, nor business associate agreements (BAAs) that permit this data’s collection.

The reaction of most of these hospitals was interesting. Some immediately removed it without comment. Others maintained that no protected information was sent using Pixel or otherwise defended its use. Houston Methodist was almost alone in providing a detailed response on how they used it, but subsequently removed it.

Facebook maintains that it does not use this information in any identifiable way and that from 2020 it has in place a sensitive health data filtering system and other safeguards. The New York Department of Financial Services, in a separate action monitoring Facebook in this area, questioned the accuracy of the filtering system. Even when the information is ‘encrypted’, it’s easy to break. Internal leaked Facebook documents indicate that engineers on the ad and business product team admitted as late as 2021 that they don’t have “an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.” (quoted from Vice)

The study could not determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways, but the collection alone can be in violation of US regulations. 

On the face of it, it violates patient privacy. But is it a HIPAA violation of protected health information? No expert quoted was willing to say that was 100% true, but a University of Michigan law professor who studies big data and health care said that “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view. Some of the hospitals in their comments say that they vetted it. One wonders at this tradeoff.

To this Editor, Meta Pixel’s use in this way walks right up to the line and puts a few toes over.

If this is true of 33 major hospitals, what about the rest of them–smaller and less important than Columbia Presbyterian, Duke, Novant, and UCLA? What all of us have suspected is quite true–social media is collecting data on us and invading our privacy at every turn, and except for exposés like this, 99% of people neither know nor care that their private information is being used.

The Markup is continuing their “Pixel Hunt” series with childrens’ hospitals. A previous article is about Pixels tracking information from crisis pregnancy centers, about as sensitive as you can get. Also HISTalk.