Telehealth startups sent sensitive health data to big tech companies

O pen the site of Workit Health, and the course to treatment begins with an easy consumption kind: Are you in risk of hurting yourself or others? If not, what’s your existing opioid and alcohol use? Just how much methadone do you use?

Within minutes, patients looking for online treatment for opioid use and other addictions can finish the evaluation and book a video check out with a provider certified to recommend suboxone and other drugs.

However what patients most likely do not understand is that Workit was sending their fragile, even intimate, responses about drug use and self-harm to Facebook.


A joint examination by STAT and The Markup of 50 direct-to- customer telehealth companies like Workit discovered that fast, online gain access to to medications typically comes with a surprise cost for patients: Virtual care sites were dripping sensitive medical information they gather to the world’s biggest marketing platforms.

On 13 of the 50 sites, STAT and The Markup recorded at least one tracker– from Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest– that gathered patients’ responses to medical consumptionquestions Trackers on 25 websites, consisting of those run by market leaders Hims & & Hers, Ro, and Thirty Madison, informed at least one big tech platform that the user had actually included an product like a prescription medication to their cart, or had a look at with a membership for a treatment plan.


The trackers that STAT and The Markup were able to find, and what information they sent, is a flooring, not a ceiling. Companies pick where to set up trackers on their sites and how to configure them. Various pages of a business’s site can have various trackers, and this analysis did not evaluate every page on each business’s website.

All however one site analyzed sent URLs users checked out on the website and their IP addresses– comparable to a mailing address for a computer system, which can be used to link information to a particular patient or family– to at least one tech business. The only telehealth platform that the analysis did not discover sharing data with outdoors tech giants was Amazon Center, a platform just recently released by Amazon.

Health personal privacy professionals and previous regulators stated sharing such sensitive medical information with the world’s biggest marketing platforms threatens patient personal privacy and trust and might contravene of unreasonable service practices laws. They likewise highlighted that personal privacy guidelines like the Health Insurance Mobility and Responsibility Act (HIPAA) were not developed for telehealth. That leaves “ethical and ethical gray locations” that enable for the legal sharing of health- associated data, stated Andrew Mahler, a previous private investigator at the U.S. Department of Health and Human Solutions’ Workplace for Civil Liberties.

” I believed I was at this point difficult to shock,” stated Ari Friedman, an emergency medicine doctor at the University of Pennsylvania who investigates digital health personal privacy “And I discover this especially stunning.”

In October and November, STAT and The Markup registered for accounts and finished onboarding kinds on 50 telehealth websites utilizing an imaginary identity with dummy e-mail and social networks accounts. To identify what data was being shared by the telehealth websites as users finished their kinds, press reporters analyzed the network traffic in between trackers utilizing Chrome DevTools, a tool developed into Google’s Chrome web browser.

On Workit’s website, for example, STAT and The Markup discovered that a piece of code Meta calls a pixel sent actions about self-harm, drug and alcohol use, and individual information– consisting of given name, e-mail address, and telephone number– to Facebook.

The examination discovered trackers gathering information on sites that offer whatever from addiction treatments and antidepressants to tablets for weight reduction and migraines. Regardless of efforts to trace the data utilizing the tech companies’ own openness tools, STAT and The Markup could not individually verify how or whether Meta and the other tech companies used the data they gathered.

After STAT and The Markup shared comprehensive findings with all 50 companies, Workit stated it had actually altered its use of trackers. When press reporters checked the site once again on Dec. 7, they discovered no proof of tech platform trackers throughout the business’s consumption or checkout process.

” Workit Health takes the personal privacy of our members seriously,” Kali Lux, a representative for the business, composed in an e-mail. “Out of an abundance of care, we chose to change the use of a number of pixels for now as we continue to assess the concern.”

” Advertisers ought to not send out sensitive information about people through our Company Tools,” Dale Hogan, a representative for Meta, composed in an e-mail.

Patients might presume that health- associated data is constantly safeguarded by personal privacy guidelines consisting of HIPAA. Workit, for one, starts its consumption kind with a pledge that “all of the information you share is kept personal and is safeguarded by our HIPAA-compliant software application.”

” The very reason people pursue some of these services online is that they’re looking for personal privacy,” stated David Grande, a digital health personal privacy scientist at the University of Pennsylvania.

However the truth online is more complicated, making it all however difficult for the typical user to understand whether the business they’re turning over with their data is obliged to secure it. “Separately, we have a sense that this information needs to be safeguarded,” stated Mahler, who is now vice president of personal privacy and compliance at CynergisTek, a health care danger auditing business. “However then from a legal and a regulative point of view, you have companies stating … technically, we do not have to.”

Instead of offering care themselves, telehealth companies typically serve as intermediaries linking patients to connected providers covered by HIPAA. As an outcome, information gathered throughout a telehealth business’s consumption might not be safeguarded by HIPAA, while the exact same information provided to the provider would be.

” All the personal privacy dangers exist, with the incorrect however totally sensible impression of security,” stated Matthew McCoy, a medical principles and health policy scientist at the University of Pennsylvania. “That’s a truly harmful mix of things to require the typical customer to offer with.”

In reaction to questions for this story, agents of Meta, Google, TikTok, Bing, Snap, and Pinterest stated advertisers are accountable for guaranteeing they aren’t sending out sensitive information by means of the tools. Twitter did not react to demands for remark.

” Doing so protests our policies and we inform advertisers on correctly establishing Company tools to prevent this from taking place,” composed Meta’s Hogan. “Our system is created to filter out possibly sensitive data it is able to find.”

LinkedIn’s tracker “gathers URL information which we instantly secure when it reaches our servers, erase within 7 days and do not include to a profile,” Leonna Spilman, a representative for the business, composed in an e-mail.

However, 3 of the 7 big tech companies likewise stated they had actually done something about it to examine or stop the data sharing.

Google is “presently examining the accounts” in concern, representative Elijah Lawal composed in an e-mail.

” In reaction to this brand-new information, we have actually stopped briefly data collection from these advertisers’ websites while we examine,” Snap representative Peter Boogaard composed in an e-mail.

Pinterest “offboarded the companies in concern,” representative Crystal Espinosa composed in an e-mail.

A boom market on the edge of the law

T ogether, the companies in this analysis show an significantly competitive– and rewarding– direct-to- customer health care market. The pledge of a structured, personal prescription process has actually assisted telehealth startups raise billions as they seek to capitalize on a pandemic-driven boom in virtual care.

Hims & & Hers, one of the biggest gamers in the area, is now an openly traded business valued at more than $1 billion; rival Ro has actually raised $1 billion given that its starting in 2017, with financiers valuing the business at $7 billion. Thirty Madison, which runs numerous telehealth companies focused on various medical requires, is valued at more than $1 billion.

The market’s fast development has actually been boosted by its capability to use data from tools like pixels to target ads to significantly particular patient populations and to put advertisements in front of users who have actually visited their website in the past. The companies we examined mainly provide care and prescriptions for conditions like migraines, sexual health, or mental health disorders instead of detailed primary or urgent care– making searching their sites naturally sensitive.

In the exact same method checking out an opioid use disorder treatment center can recognize an individual as an addiction patient, data about somebody checking out a telehealth website that deals with just one condition or provides just one medication can provide advertisers a clear window into that individual’shealth Direct responses to onboarding kinds might be a lot more important since they’re more comprehensive and particular, stated McCoy. “And it’s more perilous since I believe it would be all that a lot more unexpected to the typical individual that information that you put in a kind would not be safeguarded. It’s both even worse and more unforeseen.”

Think about the kind for Thirty Madison’s Cove, which uses migraine medications. It triggers visitors to share information about their migraines, previous medical diagnoses, and family history– and throughout our screening sent the responses to Facebook and Google. If a user included a medication to the cart, detailed information about the purchase, consisting of the drug’s name, dosage, and cost, were likewise sent to Facebook, along with the user’s hashed complete name, e-mail, and telephone number.

While hashing obscures those information into a string of letters and numbers, it does not prevent tech platforms from connecting them to a particular individual’s profile, which Facebook clearly states it does prior to disposing of the hasheddata

a screenshot of a quiz on the cove website asking how often a fictional account user named mark experiences migraine attacks. next to it is a screenshot of code showing that a google tracker on cove's website collected answers to that quiz, including the users response to the question about the frequency of migraine attacks.
A Google tracker gathers responses to medical screening questions on Cove’s site.
a screenshot of the cover website showing several different drugs listed by name, along with a subtotal price of $0 and a continue button that lets a user proceed to the next page. next to this image is an image of code showing the information sent by Cove to Facebook via a tracker, including medication name, full name, and user email.
A tracker informs Facebook when a user includes a medication to the cart. It likewise sends out the user’s hashed name, e-mail, and telephone number.

” It’s a pure money making play,” stated Eric Perakslis, primary science and digital officer at the Duke Clinical Research Study Institute. “And yes, everyone else is doing it, it’s the method the web works. … However I believe that it’s out of action with medical principles, plainly.”

In specific, professionals stress that health data might be used to target patients in requirement with advertisements for services and therapies that are unneeded or even damaging.

The big tech platforms that reacted for this story state they do not enable targeted marketing based on particular health conditions, and some telehealth companies stated they just use the data gathered to determine the success of their marketing. Nevertheless, as The Markup has formerly reported, advertisers might still be able to target advertisements on Facebook utilizing terms that are close proxies for health conditions.

On 35 of the 50 sites, STAT and The Markup discovered trackers sending out separately determining information to at least one tech business, consisting of names, e-mail addresses, and telephone number.

That provides patients with a DILEMMA. “It needs anybody that desires to capitalize of telehealth … to expose a lot of the exact same information that they would expose within a safeguarded health care relationship,” stated Woodrow Hartzog, a personal privacy and innovation law teacher at Boston University– however without the exact same defenses.

In current months, regulators have actually started breaking down on the indiscriminate collection and sale of individual health data.

After releasing a caution to organizations about selling health information in July, the Federal Trade Commission took legal action against data broker Kochava, declaring that the business put customers at danger by stopping working to secure place data that might expose sensitive information about people’s health, such as a go to to a reproductive health centeror addiction recovery center Kochava has asked for the case to be dismissed and countersued the FTC

Meta has actually likewise come under considerable examination, consisting of congressional questioning, following a Markup examination that discovered its pixels sending out patient data from hospitals’ sites. Meta is likewise dealing with a big class-action claim over the breaches.

The increased attention shows growing worries about how health data might be used once it goes into the black boxes of business data storage facilities– whether it stems from a hospital, an area tracker, or a telehealth site.

” The health data market simply continues to kind of spiral out of control, as you’re seeing here,” stated Perakslis.

However thanks to their service structures, lots of of the companies behind telehealth sites appear to be running on the borders of health personal privacy guidelines.

‘ It does appear misleading’

W hen users go to Cerebral, a mental health business whose prescribing and service practices came under federal examination this year, they are needed to address a series of “scientifically checked questions” that can cover a wide variety of conditions, consisting of depression, anxiety, bipolar disorder, and sleeping disorders. Throughout screening, with every reaction– such as clicking a button to show sensation depressed “majority the days” over the last 2 weeks– a pixel sent Facebook the text of the response button, the particular URL the user was checking out when clicking the button, and the user’s hashed name, e-mail address, telephone number.

At a physician’s workplace, that kind of information gathered on an consumption kind would likely be subject to HIPAA. However as with most of the telehealth companies in this analysis, Cerebral Inc. itself does not provide care; its site links patients with providers like those utilized by Cerebral Medical Group, P.A. and others. While those medical groups are HIPAA-covered entities that can not share secured health information with 3rd parties other than under narrow situations, Cerebral claims in its personal privacy policy to be a go-between that is not covered by HIPAA– other than in restricted cases when it serves as a service partner of a medical group, drug store, or laboratory.

Cerebral did not address comprehensive questions that would clarify what these cases may be. However in a Nov. 30 e-mail, representative Chris Savarese stated the business would change its use of tracking tools. “We are getting rid of any personally recognizable information, consisting of name, date of birth, and postal code from being gathered by the Meta Pixel,” he composed.

Nevertheless, when STAT and The Markup checked Cerebral’s site once again on Dec. 7, press reporters discovered that a Meta Pixel was still sending out responses to some consumption questions and hashed names to Facebook, and trackers from Snap and Pinterest were likewise gathering hashed e-mail addresses.

a screenshot of cerebral's website offering medication and care management for $30 a month for one month and then $99 a month. membership includes prescriber visits, monthly medication delivery, and evaluation and diagnosis by a medical presciber. next to it is a screenshot of code showing the data from a medical intake form from cerebral sent to facebook, including the word "bipolar" and a user's email, phone, and full name
A Facebook tracker gathered responses from a Cerebral consumption kind throughout an October test by STAT and The Markup.
a screenshot of cerebral's website offering medication and care management for $30 a month for one month and then $99 a month. membership includes prescriber visits, monthly medication delivery, and evaluation and diagnosis by a medical presciber. next to it is a screenshot of code showing the data from a medical intake form from cerebral sent to facebook, including the word "bipolar."
Throughout a December test, a Facebook tracker was still gathering Cerebral’s consumption kind responses.

The telehealth companies that reacted to comprehensive questions stated their data- sharing practices adhered to their personal privacy policies. Those kinds of policies typically consist of notification that some– however not all– health data shared with the website is subject to HIPAA. Numerous companies reacted that they bewared to make sure that data shared by means of third-party tools was ruled out secured health information.

However the structure of the companies’ organizations– and the inscrutable language in their personal privacy policies and terms of use– make it tough for customers to understand what data would certify as safeguarded, and when.

” There is a lot intransparency, and that makes it complicated and perhaps even misleading for customers,” stated Sara Gerke, a teacher of health law and policy at Penn State Dickinson Law.

A Number Of telehealth companies declared that the information gathered from their sites was not personally recognizable since it was hashed. HIPAA permits health information to be shared when it has actually been de-identified. Nevertheless, hashing does not anonymize data for the tech platforms that receive it and match it to user profiles. And every data package sent by a tech business’s tracker consists of the user’s IP address, which is one of numerous special identifiers that clearly certify health data for defense under HIPAA

Additional making complex choices for patients, at least 12 of the direct-to- customer companies analyzed in this examination pledge on their sites that they are “HIPAA-compliant.” That might motivate users to believe all the data they share is safeguarded and lead them to reveal more, stated Hartzog. Yet the guidelines use to the sites’ data use just in restricted cases.

Monolith, a website that uses alcohol treatment, begins its consumption kind by stating, “Any information you go into with Monolith is 100% private, safe, and HIPAA certified.” Yet in its actions to STAT and The Markup, it stated that it does rule out information sent to 3rd parties from that kind– consisting of responses to questions like “In the previous year, have you continued to consume despite the fact that it was making you feel depressed or distressed or including to another health issue? or after having had a memory blackout?”– to be safeguarded health information under HIPAA.

” If they’re not covered by HIPAA and they have a HIPAA-compliant badge, that looks like a case the FTC might bring,” stated Justin Brookman, the director of innovation policy for Customer Reports and previous policy director with the FTC, which has actually formerly charged companies for misleading use of HIPAA-compliant badges. “There’s an ramification there that you’re managed in specific methods, that your data is safeguarded, and so it does appear misleading.”

Such data sharing might be especially harmful to patients looking for care for substance use disorders, stated Jacqueline Seitz, senior staff lawyer for health personal privacy at the Legal Action Center– specifically if it goes into nontransparent data brokerages where it can be resold and repurposed forever.

A Number Of companies in this analysis are capitalizing on federal waivers triggered throughout the pandemic that enable controlled compounds like suboxone, which is used to reward opioid use disorder, to be recommended practically. Under federal law, certifying addiction treatment providers– consisting of those that recommend suboxone– are held to patient personal privacy requirements even more stringent than HIPAA. For instance, Workit’s doctor group states it is prohibited from acknowledging “to anybody outdoors of the program that you are a patient or disclos[ing] any information determining you as a substance use disorder patient” other than in narrow circumstances.

Nevertheless, STAT and The Markup discovered that Workit and other telehealth companies– in their function linking patients to providers– share information that determines a user as somebody looking foraddiction treatment On Stone Care’s site, a pixel sent Facebook our name and e-mail when we signed up with a suboxone treatment program waitlist. And trackers on the site of Bike Health, another online suboxone provider, alerted Google and Bing that our e-mail address had actually been gotten in on an “registration verification” URL.

Stone Care chief running officer Rose Bromka stated the business had actually begun enhancing its “site health” prior to being called for this short article, and limited the information sent by the Meta pixel after examining our findings.

Nevertheless, Bromka included that Stone still tracks some information about site visitors to guide its marketing.

” We are constantly looking to balance guaranteeing we are able to get the word out about options with holding to our worth set,” she stated.

Big tech’s black boxes

M eta, Google, TikTok, Bing, LinkedIn, Snap, and Pinterest state they have policies versus utilizing sensitive health data to help target ads.

” We plainly advise advertisers not to share specific data with us and we constantly work with our partners to prevent unintended transmission of such data,” TikTok representative Kate Amery composed in an e-mail, including, “[W] e likewise have a policy versus targeting users based on their individual health status.”

Meta and Google claim to have algorithmic filters that recognize and block sensitive health information from entering their marketing systems. However the companies did not discuss how those systems work or their efficiency. By Facebook’s own admission to detectives from the New york city Department of Financial Solutions in 2021, its system was “not yet running with total precision.”

To trace what took place to data gathered by trackers, STAT and The Markup developed dummy accounts logged into Facebook, TikTok, and Twitter while checking the telehealth sites. Press reporters then used the platforms’ “download your data” tools in an effort to identify whether any health information the trackers gathered was included to our profiles.

The information offered by those tools was so restricted, nevertheless, that STAT and The Markup could not verify how or whether the sensitive health information was used.

For instance, a Meta Pixel on RexMD, which recommends impotence drugs, gathered the name of the medication in our cart, our e-mail, gender, and date of birth. Facebook’s openness tool, nevertheless, just revealed 10 “interactions” on RexMD’s site, with generic descriptions like “ADD_TO_CART.” It did not provide information about the particular data Facebook consumed throughout those interactions. A TikTok pixel gathered some of that exact same information from RexMD, however TikTok’s report on our “use data from third-party apps and sites” had simply one line: “You have no data in this area.”

Our Twitter data revealed that the business understood the dummy account user had actually chosen an item on RexMD’s site and the specific URL on which that item was chosen.

On some sites, users’ data was likewise being gathered by “customized occasions,” suggesting that a site owner intentionally developed a custom-made tracking label that might have an expression such as “checkout” in it however would not always appear in the tech platforms’ openness tools.

Just 4 companies responded to whether they had actually ever been alerted by Facebook of possiblysensitive health information Monolith and Favor had data flagged however stated they identified it wasn’tsensitive Lemonaid got a notice in mistake associated to an advertising code, and Stone Care had actually gotten none.

Telehealth sites ought to be held liable for the trackers they set up, stated Hartzog, the Boston University law teacher. However “big platforms that are releasing these security innovations likewise require to be held liable, since they’re able to vacuum up every ounce of individual data on the web in the lack of a guideline that informs them not to.”

The companies in this examination stated their services fill an essential requirement. “The makeup of the standard health care system has in lots of cases avoided people from accessing treatment for conditions that ought to be simple to reward,” Scott Coriell, a representative for Hims & & Hers, composed in an e-mail. Companies that serve patients with mental health or substance use disorders highlighted that long haul times to see in- individual providers, and the preconception associated with looking for care, made virtual services specifically important.

Marketing supported by third-party tracking is part of making that care available, some argued. “Monolith utilizes online marketing platforms to raise awareness of our evidence-based treatment for alcohol use disorder, and get people the assistance and relief they should have,” composed CEO Michael Russell. “We send the minimum quantity of data needed to enable us to track the efficiency of our ad campaign.” Favor representative Sarah Abboud argued that calling basic market practices into concern might threaten trust in those services.

However health personal privacy and policy professionals see a detach in between the market’s specified focus on personal privacy and its data- sharing practices. “Telemedicine providers needs to have recognized from the outset that if their whole service design is to perfectly relocation people from marketing to care and the care will be online, then there’s going to be more individual recognizable information sent and hence more personal privacy danger and hence more personal privacy liability,” stated Christopher Robertson, a health law and policy teacher at Boston University.

One issue might be that marketing groups do not totally comprehend personal privacy guidelines, and legal groups do not have a deal with on how the marketing tools work.

Sara Juster, personal privacy officer for the weight-loss telehealth business Adjust, composed in an e-mail that the business does not “send out any health information gathered in our eligibility recede to platforms.” However a Meta Pixel on its website sent data consisting of height, weight, BMI, and other medical diagnoses, like diabetes, to Facebook. Juster then clarified the pixel was a replicate that ought to have been gotten rid of in a tracking audit previously this year.

Nevertheless, as of Dec. 7, a Meta Pixel was still present on the website and sharing hashed identifiers and checkout occasions with Facebook. The pixel appeared to have actually been reconfigured, however, to send out less information than it had throughout our initial screening.

Without upgraded laws and guidelines, professionals stated patients are left to the impulses of quickly progressing telehealth companies and tech platforms, who might pick to alter their personal privacy policies or modify their trackers at whenever.

” It does not make any sense that today, we just have defenses for sensitive health information created in specific settings,” stated McCoy, “however not what can be similarly sensitive health information created in your navigation of a site, or your completing of a really comprehensive kind about your history and your prescription use.”

This short article was co-reported with The Markup, a not-for-profit newsroom that examines how effective organizations are utilizing innovation to alter our society. Register for its newsletters here.

Leave a Comment

Our trained counselors are here to help answer anything.

Have Questions?