During the pandemic, telehealth became prominent, with companies old and new offering their services in the most convenient way possible. However, like anything accomplished through technology, the risk to privacy is a major concern. That is why it comes as no surprise that telehealth startups have been giving sensitive data to Big Tech. But how bad is the issue?
STAT and The Markup did a joint investigation into 50 telehealth companies. The investigation targeted direct-to-consumer companies and found that they leaked sensitive patient data to leading advertising platforms. Out of the 50 companies, 49 were found to transmit the URLs users visited. Additionally, 35 of the 50 sent personal information, and 13 of 50 provided users’ answers to questionnaires.
- Other transmitted information included when users created their accounts, when they added things to their cart, and when they initiated checkout.
- The trackers that transmitted the data came from platforms including Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, and Pinterest.
- Not every page on the websites was tested, meaning these were the minimum number of telehealth companies transmitting said data.
- The only telehealth platform that did not report URL data was Amazon Clinic, which was launched and belongs to Amazon. That means the data still went to a tech giant.
Telehealth uses ethical and moral gray areas. The Health Insurance Portability and Accountability Act (HIPAA) exists to protect regular privacy, but it does not cover telehealth services. Because of that, there are areas that can be exploited, allowing for the sharing of health-related data.
- Sharing this type of data could put companies under scrutiny for unfair business practices, alongside threatening basic patient privacy and trust.
- The study did not determine how or whether the data collected by tech companies was used.
Who is responsible? While tech companies do collect the data, they do not personally oversee every tracker or the source of the data. Ultimately, telehealth companies are responsible for the protection of sensitive data and keeping patient information private, and that includes properly managing trackers on their websites.
Dale Hogan, a spokesperson for Meta, said, “Advertisers should not send sensitive information about people through our Business Tools.” As such, it seems most of the responsibility should fall on the telehealth companies transmitting the sensitive data.
People are looking for privacy with online healthcare, which makes the betrayal of trust worse. Patients assume their data will remain private, especially health-related data. Many of the telehealth providers even promise as much, understanding that it is an important part of the process.
However, things are not as simple as they seem. Often, telehealth companies are middlemen, merely connecting patients to affiliated providers. Those providers are covered by HIPAA, but telehealth companies are not. That makes information collected during intake “fair game.”
It is not anything new. Regulators have already started cracking down on the collection and sale of personal health data. The FTC sued data broker Kochava over the issue, and Meta has fallen under scrutiny and a class-action lawsuit over data breaches.
Cerebral, a mental health company that has received scrutiny for its prescribing practices, also transmitted data to Facebook when patients filled out a required questionnaire. While a spokesperson said the company was “removing any personally identifiable still durable information,” The f Markup found testing. It is further proof that in the current landscape, privacy might be expected, but it is certainly not guaranteed.
Spencer Hulse is a news desk editor at Grit Daily News. He covers startups, affiliate, viral, and marketing news.