It’s not just GoodRx; Hospitals sell patient data too
A lawsuit filed against Cedars-Sinai claims that the hospital shared patient data, including medical information, with Facebook’s parent company Meta through ad targeting service Meta Pixel.
The lawsuit alleges that when Pixel was implemented into Cedars’ website, Meta gained access to patients’ data — including the medical treatments and the specialty of the physicians they sought — and enabled marketing entities to use the info to target them with advertising.
“By way of illustration, if a patient made an appointment with a doctor for treatment of cancer, the tracking code Cedars-Sinai put on its website conveyed that information to Meta, which in turn allowed Meta to include that patient in marketing target groups that it offered to its other advertising clients who wanted to market to cancer patients,” the complaint stated.
HHS has issued a HIPAA reminder that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors,” but Cedars lawyers argue that using the tracking technology is part of the hospital’s adherence to the HHS’ HITECH Act, claiming the provider’s website analytics practices “promote ‘meaningful use’ by helping to drive patients to the Cedars-Sinai website and to its patient portal,” in court documents.
Data trackers are everywhere
Meta’s data tracker is one of the many available data trackers on the market today used by companies to gain insight on consumer behavior, allowing them to optimize their products and services for maximum sales.
“It’s a pure monetization play,” Eric Perakslis, chief science and digital officer at the Duke Clinical Research Institute tells The Markup, “And yes, everybody else is doing it, it’s the way the internet works.… But I think that it’s out of step with medical ethics, clearly.”
The lawsuit is one of a string of similar lawsuits against healthcare companies that leaked patient information through data trackers including Advocate Aurora, WakeMed, and Novant Health.
A recent investigation indicates there might be more to come.
STAT and The Markup looked into telehealth companies’ use of data trackers and found that of the 50 telehealth websites investigated, 49 used data trackers that collected a range of information including names, email, phone numbers, and URLs visited, and even answers to intimate medical questionnaires regarding addiction and mental health.
The Cedars-Sinai lawsuit claims that once tech companies have this data, they can sell it to their advertising clients. And it’s true; – HIPAA has no jurisdiction over tech companies, only health providers and institutions, leaving a huge gap in protection of our health information.
The FTC tries to fill the gap
The FTC recently enforced the 2009 Health Breach Notification Rule (HBNR) for the first time after accusing GoodRx of sharing patient data without letting patients know. The company settled for a hefty fine.
Related story: FTC fines GoodRx $1.5 million for allegedly selling users’ health information
But the HBNR has its limitations — to begin with it only applies after a breach occurs.
“I think the FTC would have lost this case,” if the case went to trial, said Clinton Mikel, partner at the Health Law Partners.
Others see the settlement as a step in the right direction.
“This is a huge deal,” Andrea Downing, a health privacy advocate and co-founder of patient support network Light Collective, told Gizmodo. “A lot of folks simply assume that all of your health information is covered by HIPAA. It’s not. This is a breakthrough I’ve been hoping for for years.”