A new study shows how websites and apps gather people’s sensitive health-related information, sometimes without consent, and channel it to the social media giant to generate business.
Digital health companies are funneling sensitive data that patients have shared with them to Facebook to help target advertisements, according to a new study from research group the Light Collective. In some cases this sharing is running afoul of the companies’ own privacy policies and raising concerns about HIPAA violations.
The peer-reviewed study, published Monday in Patterns, a data science journal, examines the way data from individuals’ health-related activity online is tracked across websites or platforms and then used for advertising purposes on Facebook. The researchers studied the online activities of 10 participants active in the online cancer community who had used digital health tools from five different companies: Color Genomics, Myriad Genetics, Invitae, Health Union and Ciitizen. They found that third-party ad trackers used by those companies followed the patients online and marketed to them based on those activities. Three of the companies went against their own privacy policies in the process.
The authors said that after disclosing their findings to the five companies, only Ciitizen and Invitae responded, saying they were investigating the privacy issues with the tracking tools. (Health Union told Forbes after publication that they had no record of being contacted by the researchers.)
Health Union president Lauren Lawhon said the safety and security of people in its online health community are a priority and that it continually takes steps to ensure its data privacy practices are “transparent and compliant with the evolving regulatory environment.” She noted, in an emailed statement, that Health Union recently began using privacy management software that shows website visitors pop-ups giving them the choice to accept or reject cookie-based data collection and tracking. (There is also a “Do Not Sell My Information” link at the bottom of their pages, she said.)
“As a publisher, Health Union collects and tracks data pertaining to content consumption, traffic sources and other information about how users engage with our websites,” Lawhon wrote in the email. “This is done to better understand the types of content, content topics and advertising that are of the most interest to people who participate in our communities, so we can continue to provide engaging, relevant websites in the future.” She also emphasized that Health Union is not covered under HIPAA because it is not a healthcare provider, but rather, a publisher owning various health-related websites.
The other four digital health companies did not respond to requests for comment.
Dale Hogan, a spokesperson for Facebook’s parent, Meta, said these companies should not be sharing personal health information with the social media platform in the first place because that violates Meta’s rules. “Advertisers should not send sensitive information about people through our Business Tools as doing so is against our policies,” he wrote in an emailed statement. “We educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
“Health privacy is a basic requirement in digital medicine for reducing the abuse of power and supporting patient autonomy.”
Andrea Downing, cofounder of the Light Collective, which is focused on privacy issues in the online world, said “data gathering and predictive algorithms that are used for advertising and other purposes are one of the biggest threats to online patient communities.” It puts them at greater risk of discrimination and online scams, the authors wrote, adding that tracking software can make cancer-patient populations in particular more vulnerable to medical misinformation and privacy breaches.
Despite the small scale of the study, it is indicative of larger data-sharing trends across digital health and social media. An investigation published earlier this summer by The Markup, for example, revealed how hospital websites use trackers to gather and share sensitive patient information with Facebook for marketing, in possible violation of the Health Insurance Portability and Accountability Act, or HIPAA.https://6f53fffc8a221d0154a1a92a1703947c.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html
Lengthy, ambiguous privacy policies for these apps often leave users unclear on how their data will be collected, shared and used. Some platforms also engage in risky data practices without individuals’ consent. The new research, co-authored by Eric Perakslis, chief science and digital officer at the Duke Clinical Research Institute, is intended to raise awareness around both.
“Health privacy is a basic requirement in digital medicine for reducing the abuse of power and supporting patient autonomy,” the authors write.
“While the digital medicine ecosystem relies on social media to recruit and build their businesses” through ads and marketing, they add, “these practices sometimes contradict their own stated privacy policies and promises to users.”
By Alexandra S. Levine, Forbes Staff