In September 2022, I wrote about how journalists with The Markup found that many hospital websites were sharing patients’ medical information with Facebook through a tracking tool called the Meta Pixel. Then in December, the U.S. Department of Health and Human Services announced that entities covered by HIPAA can’t use pixel trackers if they transmit protected health information without patient consent or if they don’t have a signed agreement with the technology-tracking vendors, Becker’s Health IT reported.
In a follow-up story published in December, The Markup/STAT investigative team found that websites run by dozens of telehealth startup companies also contained tracking tools that shared users’ potentially sensitive health information with big tech organizations.
Of 50 direct-to-consumer telehealth firms they evaluated, 13 had at least one tracker that collected patients’ answers to medical intake questions, and 25 told at least one big tech platform that a user had added an item like a prescription medication to their cart, or checked out with a subscription for a treatment plan. And 49 out of 50 firms sent URLs that users visited on the site to at least one tech company. The trackers found here were not just Facebook’s Meta Pixel but additional trackers from Google, Bing, TikTok, Snapchat, Pinterest, LinkedIn and Twitter.
As part of their investigation, team members set up fake accounts and completed intake forms. To see what data was being shared, they examined the network traffic between trackers using Chrome DevTools, a tool built into Google’s Chrome browser. There they found that trackers on one site, for example, sent responses about self-harm, drug and alcohol use and personal information such as a user’s name, email address and phone number to Facebook. It is so far unclear what the companies receiving such information are doing with it.
In a new “How I Did It,” Katie Palmer of STAT with Todd Feathers and Simon Fondrie-Teitler of The Markup describe how they got the story and what surprised them most.
Responses have been lightly edited for brevity and clarity.
How did you get the idea to look into telehealth companies?
Palmer: I’ve been tracking direct-to-consumer health care companies for about six months at STAT, and started noticing a proliferation of quizzes and surveys collecting medical information. The Markup had done great work showing the information sent via trackers on hospital sites, and I wondered if the same was the case here. I used their Blacklight tool to do a preliminary analysis of some of these telehealth websites and saw way higher than average numbers of trackers appearing on several of them. That’s when we reached out [to The Markup] and set up a more formal collaboration to see what information might actually be collected by those trackers.
How did you choose which telehealth companies to target?
Palmer: We wanted to focus on direct-to-consumer sites, not telehealth sites you’ll be directed to by your existing provider. Generally, they’re ones that focus on subspecialties of care, like migraine or reproductive health, prescription-focused for the most part. We didn’t want to use telehealth companies that provided primary care, urgent care or more comprehensive care, with the idea being that the more specific your target as a patient, and your concerns that you’re going to these companies for, could potentially increase the risk to the patient in terms of exposure of their health information.
This investigation found more than just the Meta Pixel tracker you reported on earlier, including ones from Google, TikTok and other social media apps. Was that surprising?
Feathers: I guess it shouldn’t have been that surprising, but I wasn’t expecting Pinterest or LinkedIn trackers, for example, on these sites, or even the TikTok ones. We didn’t start out to go looking for them. We were just playing around on these sites and started to see that a number of them were sending information to these various platforms.
Fondrie-Teitler: When we were doing the hospital article, we noticed the presence of some of these others, specifically Google Analytics, but it was out of scope for that story. When we went back in, we were very interested in all of these. Some of the ones that were there I hadn’t thought about, or hadn’t thought about as being big in the advertising space, LinkedIn in particular. Pinterest I know is big but not in the worlds that I’m in, so that was somewhat surprising to me. I think they got added [to the sites] the same way all of these other trackers got added, which for advertising-focused ones, is they wanted to advertise on these platforms, and this is a step that the platforms push you to do in order to track conversions and see how ads are performing. Or they want analytics and they’ve put some trackers in.
Palmer: What was surprising to me was not the trackers being there but the level of detail being sent by some of them. The same level of detailed information was being sent by the Meta Pixel as some of these other trackers.
Fondrie-Teitler: There are specific pieces of information set up to be sent, much more so than we saw with hospitals. With the hospitals, there is some default information that the Meta Pixel will send to Facebook and if you don’t change anything about that, a set of things will get sent. In this case, it seemed like someone or some piece of software had configured the various pixels to specs and information above the default.
What were you most alarmed by when you were reporting this story?
Feathers: For me it was the lack of understanding on the part of all these telehealth companies about what they were actually doing on their websites, not only the fact that they installed these trackers, and the trackers were collecting medical information, but when we came to these companies, we presented them with really detailed findings, including screenshots and descriptions. We had to go back a couple of times and explain to them that no, the information you’re sending is not anonymous and it doesn’t prevent companies from connecting it to user profiles.
Palmer: I didn’t expect to see those really detailed answers being sent in full in some cases, and on top of that, patients not necessarily realizing that their information is being shared this way. The privacy policies for each company usually say that sharing is happening, but our sources expressed extreme skepticism that any average consumer or patient understands that if it says it’s HIPAA-compliant, that doesn’t mean the medical information they’re sharing isn’t uniformly protected.
Fondrie-Teitler: The other thing that surprised me is…how these companies are structured. The site that you go to is one entity, and there are subproviders set up just to deal with running the website. Because of various state laws, marketing and providing care are split up into multiple entities, and that has HIPAA implications.
What cautions would you offer people using these sites?
Palmer: It’s truly a benefit-risk calculation that everybody needs to run themselves. People do need to access care quickly, easily and more affordably, and these sites in many cases do offer that. … We need better top-down approaches, regulatory or otherwise, to protect information online in a more transparent and understandable way so people can make that informed decision.
Fondrie-Teitler: Some browsers do a better job of lowering the level of tracking. Firefox and Safari will block or stop certain types of tracking from happening by default. There are also add-ons you add to your browser. uBlock Origin is an ad blocker that also comes by default with some blocking capabilities. Privacy Badger is an extension that will specifically block certain types of tracking. Browsers like Brave and DuckDuckGo are more focused on privacy.