This article was originally published by The Defender — Children’s Health Defense’s News & Views Website.
Google, Microsoft, Facebook, TikTok and the majority of medical and healthcare websites illegally harvest and sell private health information despite a federal crackdown on the practice, according to a new cybersecurity report.
The report, by Toronto-based cybersecurity firm Feroot Security, analyzed hundreds of healthcare websites and found that more than 86% are collecting private data and transferring it to advertisers, marketers and Big Tech social media companies without user consent and in violation of privacy laws.
As patients or consumers browse their favorite or trusted medical websites or sign in to hospital portals to access their private health records, invisible bits of HTML code — called “tracking pixels” — embedded on the websites harvest private information, such as whether patients have cancer, erectile dysfunction or are behind on their hospital bill.
The information is repackaged and sold for a variety of uses, including to companies that target individual users with internet ads, according to the report.
The risk of having personal data scraped is particularly high on log-in and registration pages where internet users supply troves of information, unaware it is being hijacked and sold. More than 73% of log-in and registration pages have invisible trackers that pirate personal health information, the study found.
Approximately 15% of the tracking pixels analyzed by Feroot record users’ keystrokes, harvesting social security numbers, usernames and passwords, credit card and banking information, and an infinite variety of personal health data, including medical diagnosis and treatment.
The study showed that “Google is the absolute dominant collector” of data. Ninety-two percent of the websites loaded on the Google search engine contained data-harvesting technology across wide sectors of the U.S. economy including healthcare and telehealth, banking and financial services, airlines, e-commerce, and the federal and state governments.
The number two offender was Microsoft with 50.4% of websites on its platform hiding tracking tools, with Facebook next at 50.2% percent and TikTok at 7.41% percent and growing fast.
Google, as the driver of its parent Alphabet, the world’s fourth largest company, is often called “the most powerful company in the world.” It counts on advertising, a lifeblood of the global digital economy, for 80% of its revenue.
Microsoft and Facebook “round up the Top 3” of companies that systematically breach data, the report said. Representatives of Google, Microsoft, and Facebook denied their companies used tracking pixels to harvest personal data.
Website owners are responsible for controlling data collection, a Google spokesperson said. Google policy prohibits Google Analytics and advertising customers, including for example hospital or telehealth websites, from collecting health data in violation of the U.S. Health Insurance Portability and Accountability Act (HIPAA). It’s up to the websites to determine “whether they are HIPAA-regulated entities and what their obligations are under HIPAA,” Google policy says.
Personal health data collected by a tracker or third party without a user’s consent is a violation of HIPAA, said Feroot CEO Ivan Tsarynny.
Big Tech companies “do have policies that talk about protecting health info,” Tsarynny said. But “the real-world application of these policies is a different story.”
Feroot’s study comes as “concern grows regarding data mining companies using pixels/trackers that load into browsers from websites to collect privacy and sensitive user data,” the report stated.
“Compliance regulators and government authorities are increasingly stepping in with bans, restrictions, and executive orders to curb them.”
Eighteen major hospital systems were sued this year for sharing patients’ sensitive health data with Google, Facebook and other tech giants in violation of privacy laws, according to Becker’s Hospital Review.
They include prominent academic medical centers such as the University of Pittsburgh Medical Center, the University of Chicago Medical Center, the University of Iowa Medical Center, Chicago-based Northwestern Memorial Hospital and the University of California San Francisco Medical Center.
Prompted by growing concerns over data theft and the article, “‘Out of Control’: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies,” Feroot launched an investigation “to ascertain the exact magnitude and pervasiveness of social media pixels/trackers collecting and transferring personal, sensitive, and private data using pixels or trackers.”
The security platform Feroot sells to companies “made it possible to get detailed facts regarding active client-side e-skimming,” the company said.
Feroot collected data on pixels/trackers during an eight-week period in January and February.
The company said it examined more than 3,675 organizations with unique websites in seven economic sectors. It studied 108,836 unique web pages, including especially vulnerable login, registration and credit card processing pages, 227 trackers and 7 million data transfers.
Key findings from ‘Beware of Pixels & Trackers’:
- Pixel trackers are “common and abundant” — an average of 13.16 pixels/trackers were found per website, “with Google, Microsoft, Meta (owner of Facebook), ByteDance (owner of TikTok), and Adobe being some of the most common.”
- “Mission-critical” webpages, such as log-in or registration pages, increase the risk of exposing private information. An average of 5.96% of websites had pixels/trackers on webpages reading user input forms containing privacy or sensitive data.
- Pixel trackers transfer data to foreign locations around the globe — “about 5% of the data transferred by pixels/trackers loaded from US-based websites is sent outside the US.”
- Pixel trackers collect and transfer data without first obtaining the explicit consent of visitors.
- Pixels and trackers are loading from domains banned by the U.S. government and various U.S. states and even from some of those same governments, including Russia and China. Data obtained by Russian and Chinese websites is a security risk from surveillance and spying.
- Meta (owner of Facebook and Instagram) and TikTok, owned by Chinese company ByteDance, were “particularly worrisome” for privacy invasion and surveillance risks. Thirty-four U.S. states, both Republican and Democratic-controlled, have banned the use of TikTok on government devices. Montana in May banned the app on all personal devices.
- TikTok is often present whether or not the TikTok app is deleted. TikTok pixels/trackers can still “load into webpages handling mission-critical user data and can collect and transfer it.”
GoodRX case highlights corporate deceit around data-sharing
While corporations face losing profit and reputation from data breaches or fines for causing them, individuals face a potentially catastrophic loss of privacy when major health websites harvest and sell their information, according to the Federal Trade Commission (FTC).
The action to “bar GoodRx from sharing consumers’ sensitive health information for advertising” was the FTC’s first enforcement action under its Health Breach Notification Rule.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” FTC Bureau of Consumer Protection Director Samuel Levine said in a news release after the settlement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
The FTC enforcement against GoodRx revealed a particularly egregious, yet not uncommon, example of how corporate health and medical websites betray patient trust and manipulate patient data, the FTC said.
According to the FTC’s complaint, GoodRx violated the law by improperly sharing sensitive personal health information since at least 2017, though it promised otherwise.
The company “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” the FTC charged, and deceptively displayed a seal at the bottom of its telehealth services homepage “falsely suggesting to consumers that it complied with … HIPAA.”
In reality, the FTC complaint said, GoodRx “monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram.”
For example, GoodRx in August 2019 made lists of its users “who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles,” according to the complaint.
“GoodRx then used that information to target these users with health-related advertisements.”
People who accessed GoodRx coupons to purchase, for instance, Viagra would see ads for erectile dysfunction medication on their Facebook or Instagram page ads, the FTC says.
“Similarly, people who had used GoodRx’s telehealth services to get treatment for sexually transmitted diseases would get ads for STD testing services.”
GoodRx disclosed to Facebook the medication purchase data it receives from pharmacy benefit managers and also used the data to target ads.
By using Facebook’s ad targeting platform, the FTC said, “GoodRx designed campaigns that targeted customers with ads based on their health information. For example, if a customer had revealed a possible erectile dysfunction issue to GoodRx, they might have seen an ad on Facebook like Exhibit A in the FTC complaint.”
Howard Danzig, founder and president of Employers Committed to Control Health Insurance Costs, said “fining GoodRx just $1.5 million dollars is not even a slap on the wrist. While many employers are so vigilant about respecting the guidelines of the HIPAA privacy laws, large tech companies basically get a pass.”
“How about major penalties for Facebook, Google and any others who were the beneficiaries of this information?” he wrote on his LinkedIn page with almost 9,000 followers.
“How about determining whether or not there were any criminal violations that should be pursued against the individuals who actually collaborated to do this? How about ‘REPARATIONS’ from the companies involved to the people and customers whose privacy was breached?”
The data breach occurred for “advertising purposes,” he noted. “How far afield can this really be taken and how far afield has it been taken?”