Stirring Up a New Privacy Debate
Numerous health systems have utilized Meta’s Pixel tracking technology and inadvertently shared personal health information with Meta. Since investigative reporting revealed the practice, numerous class action lawsuits have been filed against both Meta and the health systems caught using the tool.
The Meta fiasco is merely the tip of the iceberg in shady data sharing practices that are becoming increasingly prevalent as healthcare becomes enmeshed in both retail and big tech companies. From smartphone apps for tracking fertility to Meta’s web trackers, leaky data collection is a fast-growing privacy threat to consumers. Data brokers wield increasing power in today’s data economy (aka “surveillance capitalism”) that lacks regulatory oversight and consumer protections.
There is an opportunity for new types of data commons/markets that put the consumer at the center and offer protections and equity for data producers. To reduce the impact of current unethical / inequitable data sharing practices, regulators need to take a closer look at the fairness of trade practices, monopoly power, and modernizing HIPAA for our current age.
In June 2022, The Markup revealed the results of a research study they conducted using Newsweek’s list of top 100 hospitals in the US and the use of a tracking tool known as the Meta Pixel. Their research found that 33 of the 100 investigated were using the Pixel which sends a packet of information to Facebook/Meta every time a user activity is logged, including details of appointment scheduling and in 7 cases, information from within password protected patient portals. The investigation was part of a broader study, the Facebook Pixel Hunt, sponsored by the Mozilla Foundation, to assess the use of Pixel across the web and what data is being shared in this manner.
Based on 2020 appointment numbers for those 33 HCOs, up to 26M patient appointment details were shared with Meta. Novant Health alone may have exposed 1.3M MyChart accounts to the company due to improperly configuring the tracker.
The packet of information exposed includes user IP address and information about appointments, such as the doctor’s name and the search term used to find the doctor. They found that more granular details about the appointment such as medications, allergic reactions, and information on future appointments were also shared.
Sharing personal health information without consent or a BAA contract in place is a violation of the Health Insurance Portability and Accountability Act (HIPAA). In almost all cases, the hospitals did not have these agreements in place with Meta and many of them removed the Pixel after the study was published. The Markup was unable to ascertain whether Facebook used the data to target ads or any other commercial activities, though HCOs generally acknowledge it was utilized this way for their own marketing campaigns.
In 2019 a Wall Street Journal investigation uncovered a wide range of methods Facebook was utilizing to extract data from mobile phones. That study revealed that a number of health tracking apps were sending data to Facebook as well. It was more recently revealed that anti-abortion groups that have crisis pregnancy clinics were collecting sensitive private information via Facebook as well.
This practice received even greater attention in the wake of the unfortunate Dobbs decision by the Supreme Court last year that overruled the [admittedly problematic] Roe v. Wade precedent. A number of fertility tracking apps were implicated in tracking visits to Planned Parenthood according to research by Vice. For merely $160, purchasers could obtain a week’s worth of data on users of Planned Parenthood and where they came from as well as where they went after a visit. We shouldn’t have to explain why this is such a horrific issue given recent State activities to penalize their constituents for seeking out this kind of medical care – and rewarding the snitches.
This situation should raise many questions for the state of privacy at a moment when retail and big tech are both entering the healthcare arena. The elephant in the room is that third actor, data brokers, who monetize these data without the knowledge of the patient or consumer.
Blowback from The Markup Study
The legal blowback from the Pixel news was predictable: a spate of lawsuits against the hospitals implicated in the controversy as well as Meta for the lack of transparency about how their tracker worked. As of October there were nearly 50 class action lawsuits filed but the net of targets of these lawsuits is much wider than just Meta and hospitals. Video hosting websites, news outlets, streaming services, and sports sites are all included in the suits. The claimants are using the federal Video Privacy Act to pursue suits against streaming and related businesses, the rationale being that these other services are aggregating and monetizing different forms of data.
On the hospital side of the situation, a California court has consolidated several of the lawsuits that are suing on the basis of personal health information privacy being violated. Cedars-Sinai, Louisiana Hospitals, Northwestern Memorial, University of California San Francisco’s Dignity Health, and others have joined a rolling list of health systems named in class action lawsuits stemming from the controversy.
And there have been more privacy violations resulting in fines and similar controversies across the board. Betterhelp, the online therapy company, was ordered by the FTC to pay $7.8m from a settlement concerning the mishandling of data from 2017-2020. In late 2022 The Markup and STAT reported that 49 out of 50 telehealth companies were leaking sensitive health information to advertising platforms. The online pharmacy, GoodRx, recently settled one case of sharing sensitive user data with Alphabet, Meta, and others with the FTC for $1.5M, and has been named in second class action (link to PDF) in California.
The Legal Response and HIPAA
The law offices of King and Spalding (K&S) offer insights into what the defense is going to look like for those systems implicated in the lawsuits. K&S’s advice on the first line of defense is to assess whether the Video Privacy Act can actually apply to these cases as well as whether intentionality was involved.
Health systems could use the ignorance defense and claim they were unaware of the fact the Pixel collected this data and that they also could not control whether users accepted the consent to track cookies or configured their browsers in a way that enabled data collection (IMO this provides a bit of insight on how laws are written for technology in a manner that tend to give benefit of the doubt to the company while shifting more of the responsibility to the consumer). The moral of the story is for patients to be careful what they opt into on any healthcare site, and for HCOs to be far more scrupulous before using third party cookies.
HIPAA was passed in 1996, roughly twenty-seven years ago. We are now more than two technology generations past that era; it is far beyond the time for a re-write. Ten years ago, I was writing my first book on digital health and remember writing about big data privacy violations which have only become more prevalent with even greater risk to consumers. Now we are seeing the rise of privacy advocates using human rights language to talk about privacy so we protect HUMANS, not just data. When the news of period trackers sharing data with anti-abortion players came out, Health and Human Services offered the following press release,
“According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care… HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information…”
This means that after the fact, consumers can file a complaint with the Office of Civil Rights to seek recompense. This squarely places the burden of the responsibility on the consumer to be privacy fluent enough to change the settings on their phones and other devices since the law fails to proactively protect privacy given the way HIPAA was written in an era prior to [almost] universal connectivity to the internet and these modern activity tracking technologies.
There are important philosophical and “real-life beyond the legal” aspects to privacy and health data as well. Notions of autonomy in all their diverse framings, trust in healthcare providers as well as the increasingly algorithmically driven healthcare systems are at stake. Data are used to train algorithms that are involved in making decisions over who gets care, risk profiles, willingness to pay and payment plans, access to care. Privacy is critical to a well-functioning democracy as well.
And then there are the data brokers, oligopolies that aggregate, control, and monetize data. In the legal sphere Westlaw and Lexus (owner of Elsevier which has a major footprint in healthcare) have been the target of complaints to the Federal Trade Commission (FTC) for how they control data through privatizing and paywalling the data. Anti-trust legislation is incredibly weak in the US and enables quasi-monopoly businesses to dominate the data monetization racket.
Believe it or not, the threat is bigger than Meta. In her recent Data Cartels. The Companies that Control and Monopolize Our Information, Sarah Lamdan highlights the harm that the privatization of vast amounts of published and unpublished, often previously open data, harms society. Among many issues is the fact that the highest quality data are now behind paywalls but mis- and mal-information is free. Low quality information can fill the void, in other words. We have seen this with vaccines in healthcare. Paywalling vast amounts of data leads to less transparency, which can harm minorities who have a higher risk of being impacted by biased data from these sources – especially after being ingested into algorithms that determine their access to care, financing, and education.
The onion of privacy is in urgent need of unpacking to understand the flows and control of data. Privacy expert Daniel Solove has been calling for a rethinking of privacy law writ large. The Pixel controversy is merely one aspect of a vast, unregulated economy with tentacles deep into healthcare and medicine. The stakes are high, but not legibly visible to citizens who remain alienated from control over their data that “has become the new oil” in that most hackneyed cliché.
Jennifer Hinkel, writing in STAT recently, called for a new framework to make health companies play fair with patient data. It is way past time. She compares the situation at present to the exploitation of Henrietta Lack’s tissue samples and that we can learn from the financial sector in how to provide more protections. In a previous life, I was an executive with healthbank, a Swiss company attempting to do precisely this. We failed largely due to the lack of a robust, sustainable business model, a common reason for the failure of businesses tackling patient data ownership. We need to revisit these models armed with knowledge of network effects and grassroots mobilization to take on the challenge of privacy and who benefits from the status quo.
Put simply, this is about the need to rethink health equity, innovation, and fairness in a deeply unethical health data economy.