Privacy Risks Discovered in Websites Employed to Provide Opioid Addiction Treatment and Recovery Assistance

A new report from the Opioid Policy Institute (OPI) and Legal Action Center (LAC) states that a number of websites employed for providing opioid addiction treatment and recovery assistance have data sharing and privacy issues. Addiction treatment and recovery assistance are more and more provided on the internet and through mobile applications, with the websites managing several functions. They are employed to correspond with patients, do telehealth visits, register and screen patients, and get recommendations.

All sites that gather patient information must have strong privacy and security settings, however, this is particularly vital for websites utilized to provide opioid addiction treatment and recovery solutions because of the stigma connected with drug addiction as well as the possibility of discrimination towards individuals with substance use problems. Issues regarding confidentiality often rank among people’s most frequent motives for not getting substance use disorder treatment.

At the government level, HIPAA and other privacy regulations have stringent demands for protecting the privacy of patient data, and lots of providers of substance use disorder treatment services adopt the core assurance of anonymity, nevertheless the confidentiality and security of the sites utilized by providers of these solutions were not properly examined. OPI and LAC partnered for the research and examined sites of 12 virtual care systems within the time period of 16 months utilizing the Blacklight tool created by The Markup to evaluate the privacy defenses on websites, which got 57,000 visits on average in June 2022. The Blacklight tool was employed to evaluate various data collection methods, such as advertisement trackers, keylogging, session recording, third-party session cookies, and third-party tracking code for example the code snippets supplied by Meta (Pixel) and Google (Analytics).

Although it wasn’t possible to find out precisely what information was obtained by the websites or know how the obtained information was utilized, all websites regularly utilized tools within the 16-month period of observation that had the ability to acquire and transfer sensitive data and all sites has problems that jeopardize patient privacy. All 12 sites utilized advertisement trackers that could determine the people who visited the sites. 11 of the 12 websites used third-party cookies that enable the tracking of people going to the virtual care websites online.

In the 16-month time period, about 50 % of the sites employed Metal Pixel tracking code. The Meta Pixel code snippet is utilized to monitor visitor activity on sites to determine preferences and fads to enhance the user experience; nevertheless, the code snippet can record sensitive information and transfer it to Meta. This 2022, lots of health systems used the code on their sites and patient hub, which sent sensitive patient information to Meta without permission. Sometimes, the data transmitted was purportedly utilized to serve people with targeted advertisements associated with their health issues. Meta has a policy that calls for users of Meta Pixel not to talk about sensitive data like healthcare information, nevertheless, numerous healthcare companies were known to have sent patient information to Meta. In this research, 4 OUD mHealth sites were found to have transmitted identifiable data to Meta.

10 of the 12 sites utilized Google Analytics on their web pages, in spite of Google’s policy that the code must not be utilized to gather personally identifiable information (PII) or protected health information (PHI). All 12 websites utilized marketing, with at least certain information transmitted by all 12 firms to ad tech companies that purchase and sell user information for marketing uses. The researchers noted an increase in the usage of trackers on websites in the last 16 months. In spite of the data sharing and privacy threats discovered on the websites, these OUD websites typically promoted themselves as exclusive, secure, and 100% private.