Study explores how medical apps send health data to Facebook and others


Sensitive information is shared with data brokers and advertisers for the purpose of serving targeted ads, and not just by health apps and fitness trackers. HIPAA-covered entities also share health data without patient consent, exposing them to regulatory fines and lawsuits.

Many consumer health apps collect sensitive health data, including pregnancy and fertility trackers and personal fitness and exercise apps. These applications are fed data or directly collect this information through associated portable devices, and this information may be shared with third parties or sold, subject to the terms and conditions of use of the applications. If users don’t want to share their data, they just can’t use the apps.

However, there are growing concerns about the sharing of identifiable health data by healthcare organizations covered by the Health Insurance Portability and Accountability Act, which imposes restrictions on the use and disclosure of identifiable protected health information. It was recently discovered that many hospitals were using the Meta Pixel JavaScript code on their websites to track visitor activity and gauge the effectiveness of their Facebook marketing campaigns. In some cases, the code was included on patient portal pages and health information was transferred to Meta without consent and used by Facebook advertisers to serve targeted and personalized ads. At least two lawsuits have been filed against healthcare providers for privacy breaches, and Novant Health recently sent notices to more than 1.3 million patients whose privacy was breached.

Study explores how medical apps share health data with social media networks

A recent study explored how medical apps shared sensitive health data. The researchers selected medical apps commonly used by patients who visited social media websites, including Facebook, to find information about their health status. The study focused on five digital medicine companies and evaluated 32 different types of cross-site tracking middleware that used cookies to track individuals across the internet and shared their browsing data with Facebook for advertising and generation purposes. of leads. Specifically, the researchers focused on companies that provided services to patient advocates in the cancer care community who were active users of social media sites.

3 Steps to HIPAA Compliance

Please check the HIPAA log
privacy policy

  • Step 1: Download the checklist.
  • Step 2: Review your business.
  • Step 3: Get in compliance!

The HIPAA Journal Compliance Checklist provides the top priorities for your organization to become fully HIPAA compliant.

Patients often use social media websites to gain support from their peers, Facebook being one of the most popular. Facebook is inundated with ads related to health issues. According to researchers, health and pharmaceutical companies spent more than $1 billion on advertising on Facebook’s mobile advertising alone in 2019. Health information revealed by patients on social media sites exposes them to these ads and allow healthcare and pharmaceutical companies to target very specific patients. populations. The focus on the cancer community was because these patients were perceived to be vulnerable to online scams, medical misinformation, and privacy breaches through the use of cross-site tracking middleware. The researchers focused their study on Facebook’s advertising model, although the findings may apply to other social media platforms.

How patients are tracked and served Targeted advertisements

In a typical scenario, a cancer patient signs up to use a digital medicine or genetic testing app and agrees to the terms and conditions. The patient has or signs up for a Facebook account in a separate process. Providers embed third-party tracking code on websites that share off-Facebook activity without user consent.

The provider’s off-Facebook activity is used to update the advertising interest algorithms on Facebook. Facebook’s algorithms then promote health-related ads based on users’ health interests. Vendors can target ads to users with specific health interests and may also attempt to enrich data through forms and quizzes, with lead data being passed from Facebook to the vendor’s CRM system.

Privacy policies and data sharing practices differ

Although digital medicine or genetic testing apps have privacy policies that explain how data is collected and used, in some cases the privacy policies do not match actual data sharing practices. All five apps had privacy policies, but three said health data would not be shared with advertisers when information was shared.

All five apps are potentially covered by the Federal Trade Commission’s health breach notification rule, and two of the app providers were CLIA-certified labs that offer genetic and clinical diagnostic testing, and are therefore bound by HIPAA. In some cases, users were tracked and data was shared even though consent was not obtained, and in some cases users were told that their health information would not be shared with Facebook or others.

A Meta spokesperson said health information should not be shared with the platform and that it has filters in place that can detect and remove health data to prevent it from being shared. be shared with advertisers; however, the filter does not detect all health data. The researchers point out that Facebook announced in November 2021 that the platform would remove all detailed ad targeting endpoints for sensitive health information.

Researchers suggest that the practice of tracking users and sharing their data with Facebook (and potentially other social media networks) could violate federal and industry regulations, particularly the Health Data Breach Notification Rule. the FTC and potentially HIPAA. They also point out that since the health data breach notification rule was introduced, there has been no enforcement.

“We have demonstrated that personal data and personal health data can be easily obtained without the aid of highly sophisticated cyberattack techniques, but with rather common third-party advertising tools,” the researchers said. While the study did not confirm any intentional deception by individuals, it was also unclear to what extent these companies knew that users’ health data was being monitored and passed to Facebook for the purpose of serving targeted ads. .

“These marketing tools reveal a dark pattern used to track the journeys of vulnerable patients across platforms as they navigate online, in some ways unclear to companies and patient populations engaging through Facebook,” they concluded. Researchers. “While the digital medicine ecosystem relies on social media to recruit and grow its business through advertising-related marketing channels, these practices sometimes contradict their own privacy policies and promises to users.”

The study – Health Advertising on Facebook: Privacy and Policy Considerations – was published in the journal Patterns on August 15, 2022.


Comments are closed.