Pedestrians stroll by a CVS pharmacy store in San Francisco, California, on May 2, 2022. (David Paul Morris/Bloomberg)
California-based health system Kaiser Permanente recently alerted millions of people that their private information was inappropriately shared with tech giants, angering patients who weren’t aware of the practice.
A Bloomberg News analysis showed the same kinds of online trackers remain on the websites of the nation’s largest health-care companies, often unknown to their millions of patients.
Trackers from Meta Platforms Inc.’s Facebook could access patients’ dates of birth and phone numbers on a website for Cigna Group’s pharmacy unit, the analysis found. People signing up for accounts at UnitedHealth Group Inc.’s pharmacy benefit division might have part of their Social Security numbers sent to an Adobe Inc. marketing service. Websites for units of CVS Health Corp. allowed Social Security numbers, passwords and dates of birth to be read by analytics company Quantum Metric.
“Having something like Facebook trackers all over your website is pretty egregious from a privacy standpoint,” said Justin Sherman, founder of Global Cyber Strategies, an advisory firm.
Websites operated by nine of the 10 largest publicly traded health insurance, hospital and lab companies had advertising and analytics trackers installed on user registration or login pages - places where personal information could be accessed by a third-party company. Bloomberg News examined the websites using a browser tool from Feroot Security, a firm that helps companies find and remove web trackers.
A Meta spokesperson said advertisers shouldn’t send sensitive personal data through the company’s tools, and that its system is designed to filter it out when detected. CVS Health said the company has controls to limit or encrypt identifiable information before it is disclosed to third-party vendors.
Representatives from Cigna, UnitedHealth, Adobe and Quantum Metric declined or didn’t respond to requests for comment.
Privacy advocates warn that trackers on health websites and apps might expose intimate details of people’s lives - Viagra prescriptions, pregnancy, mental health treatment - to advertisers and data brokers without patients’ consent.
In a wider study conducted by Feroot last year, the company found 86% of health-care and telehealth websites were collecting data without users’ consent and sending it to big tech companies. A separate analysis published in JAMA this year found that of 100 hospital websites, 96 transmitted information to a third-party, and the majority didn’t disclose in their privacy policies where the information was going.
Federal regulators have been trying to crack down on how health websites harvest personal data for years. The Federal Trade Commission fined several telehealth companies for sharing user data. The Health and Human Services Department issued guidance saying online trackers could violate federal health privacy rules.
Hospital groups challenged the health agency’s position in court, arguing that it overstepped its authority and pointing out that some government websites used similar technology. In June, a Texas judge ruled against HHS, limiting the agency’s power to penalize health-care companies for using trackers.
$250 billion market
Trackers that collect personal data are ubiquitous across the internet. Sometimes called pixel trackers, these bits of code are hidden to most people. But tech companies and data brokers use them to compile information about how users behave on the web.
They can access what a user clicks on and where they are located to help advertisers target messages. They also build profiles of website users that fuel a roughly $250 billion market for personal information sold to advertisers.
Sometimes details are in the fine print. For example, the privacy policy of CVS’s Aetna unit says that the company collects Social Security numbers, internet addresses and demographic data, among other information. Its trackers may collect and record activity like “page hits, mouse movements, scrolling, typing” and other browsing data.
On health websites that handle sensitive data, trackers raise heightened privacy concerns and may violate federal rules intended to protect patients’ medical information, Sherman and other cybersecurity experts say.
About 15% of health websites could read exact keystrokes on login pages, meaning they could collect Social Security numbers, usernames, passwords, email addresses, appointment times, billing information, and medical diagnoses, according to Feroot’s report last year.
Lawsuits rising
A lawsuit against Kaiser Permanente alleged that trackers collected names, internet addresses and search terms and sent them to Alphabet Inc.’s Google, social media company X and Microsoft Corp.’s Bing search engine. Kaiser’s trackers were deployed on password protected pages, allowing tech companies to create more targeted advertisem*nts based on individual users’ behavior, according to the complaint, filed in June 2023 in federal court in the Northern District of California.
Kaiser said that the company conducted an internal investigation and removed the trackers from websites and mobile applications. The company has sought to dismiss the case and declined to comment on the litigation. Microsoft said its policies prohibit the use of medical information in its targeted ads lists.
Google said customers of its measurement tools, like Google Analytics, own the data collected and the company itself does not use the data for the search engine’s own ad targeting. Its policies bar customers from using Google Analytics to collect protected health information and also prohibit advertising based on people’s health or other sensitive information, a Google representative said.
Another lawsuit against the Blue Cross Blue Shield Association, filed in November in federal court in Illinois, alleged that a website for the federal employees’ health plan sent data to ByteDance Ltd.’s TikTok and other tech companies. The data included users’ searches for topics like mental health or pregnancy, according to the complaint, which noted that TikTok itself is banned on federal government phones over national security concerns.
The association has sought to dismiss the suit and had no comment. A TikTok representative declined to comment on the lawsuit and referred to the company’s policies, which say the pixel should not be installed on websites potentially sharing personal health information.
Some health care companies have removed the trackers from their websites in response to increased pressure, said Ivan Tsarynny, CEO of Feroot. He said he expects more companies to disclose data breaches related to the use of trackers, as Kaiser Permanente did.
It’s not always clear where the data that trackers collect ends up.
“We don’t always know what the purposes for that tracking are,” said Charlotte Tschider, cybersecurity law professor at Loyola University Chicago. “It’s possible that health care organizations don’t exactly know that they are doing what they’re doing.”
