A bipartisan group of senators fiercely criticized several prominent telehealth startups for failing to protect sensitive health information, citing an investigation by STAT and The Markup which found dozens of telehealth companies sharing patient data with Facebook, Google and other major advertising platforms.
“This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,” wrote Sens. Amy Klobuchar (D-Minn.), Susan Collins (R-Maine), Maria Cantwell (D-Wash.) and Cynthia Lummis (R-Wyo.) in letters sent this month to telehealth companies Monument, Workit Health, and Cerebral requesting information on their data sharing policies.
The investigation by STAT and The Markup examined the data-sharing practices of 50 direct-to-consumer telehealth companies, including Workit, Monument, and Cerebral. Specifically, the investigation examined what data is shared as companies use trackers from big tech companies — including Meta, Google, TikTok, Microsoft, and Twitter — to target advertisements and follow consumer browsing and buying patterns online.
For patients visiting online health care platforms, that data can be deeply personal. On 13 of the 50 websites, STAT and The Markup found at least one tracker from major social media and search engine companies that collected patients’ answers to medical questions. Trackers on 25 sites informed at least one big tech platform when users added prescription drugs and other items to their cart, or when they checked out with a subscription for a treatment plan.
Patients who visited Workit’s website seeking addiction treatment, for example, were presented with a simple intake form that asked about current opioid and alcohol use, self-harm, and methadone use. The investigation found responses to that survey, along with other personal information, were sent to Facebook. Presented with those findings, Workit said it adjusted how it was using the trackers.
The letters come just days after the Federal Trade Commission reached a $1.5 million settlement with the telehealth services market GoodRx for sharing users’ health data with Facebook, Google and others for advertising. And it follows a lawsuit filed Jan. 5 against another telehealth company examined in the STAT and The Markup investigation, Hey Favor, as well as Fullstory, Meta, and ByteDance, the company behind Tiktok.
Much of the information shared by such trackers is not protected by the Health Insurance Portability and Accountability Act, the decades-old patient privacy law that was crafted long before virtual care was an option. Still, health privacy experts and former regulators said sharing such sensitive medical information with advertising platforms undercuts patient privacy and trust — and in some cases, could run afoul of fair business laws.
In letters to executives at the three companies, the lawmakers demanded a list of all third-party platforms they’ve shared user information with over the past three years, along with details about what types of user information they shared. On 35 of the 50 websites, STAT and The Markup found trackers sending individually identifying information to at least one tech company, including names, email addresses, and phone numbers.
Two of the companies targeted by lawmakers — Workit Health and Cerebral — offer online prescriptions of controlled substances, which has been allowed under loosened federal rules during the pandemic. Under federal law, some addiction treatment providers are held to patient privacy standards even stricter than those set out in patient privacy law HIPAA. For example, the physician group Workit uses for patient care states it is forbidden from acknowledging “to anyone outside of the program that you are a patient or disclos[ing] any information identifying you as a substance use disorder patient” except in narrow situations.
The senators — who gave a deadline of Feb. 10 for the companies to respond — explicitly asked all three companies whether they have ever shared information with a third-party service that could identify their users as someone seeking treatment for addiction, substance use disorder, or a mental health condition.
They also also noted that telehealth is an increasingly popular option to expand access to health care for rural and underserved patient communities.
“This access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems,” they wrote.
The Markup’s Todd Feathers and Simon Fondrie-Teitler contributed reporting.