Study Investigates How Medical Apps are Disclosing Health Information to Facebook and Others

Sensitive information is being sent to data brokers and marketers with the goal of serving targeted ads, and not only by health applications and fitness trackers. HIPAA-covered entities are likewise sending health information with no patient authorization, which subjects them to regulatory penalties and legal cases.

A lot of end-user health applications gather sensitive health data, such as personal fitness and workout applications, and pregnancy and fertility tracker applications. The applications are given information or directly acquire that data via connected wearable devices, and that data may be sent to third parties or bought, in accordance with the agreements for use of the applications. If users don’t like to disclose their information, they can just stop using the apps.

Nevertheless, there is a rising concern about healthcare companies covered by the Health Insurance Portability and Accountability Act (HIPAA) disclosing identifiable health information. Numerous hospitals have lately been found to have utilized the Meta Pixel JavaScript code on their web pages for monitoring visitor activity and analyzing the performance of their Facebook advertising campaigns. In certain instances, the code is put on pages inside patient websites, and health data has been transmitted to Meta with no authorization and utilized by Facebook marketers to send targeted personalized ads. A minimum of two lawsuits were filed against healthcare companies due to the privacy breaches, and Novant Health has lately sent notifications to over 1.3 million individuals whose privacy was breached.

Study Investigates How Medical Applications Share Healthcare Information with Social Media Platforms

A new study has looked into how medical applications have been disclosing sensitive health information. The researchers chose medical applications that were popular with patients that are active on social media sites, such as Facebook, to get data associated with their medical ailment. The study looked at five digital medicine firms and assessed 32 cross-site-tracking middleware types that utilized cookies to monitor people all over the Internet and disclosed their browsing activities with Facebook for marketing and lead generation purposes. Particularly, the researchers centered on companies that were providing services to patient advocates belonging to the cancer care community who were frequent users of social media websites.

Patients usually utilize social media sites to get assistance from their friends. Facebook is the most commonly used. Facebook is flooded with advertisements associated with medical ailments. Based on the researchers, in 2019, health and pharmaceutical firms spent over 1 billion on ads using Facebook mobile advertising only. The health data disclosed by patients to social communities exposes them to these advertisements and enables health and pharmaceutical firms to select particular patient populations. The targeted patients in the cancer community were seen to be vulnerable to online fraud, health misinformation, and privacy breaches by means of using cross-site tracking middleware. The researchers centered their research on the ad model of Facebook, though the results may be applicable to other social media platforms.

How Patients Tracking and Sending Targeted Ads Work

In a normal situation, a cancer patient registers for a digital medicine or genetic testing application and accepts the terms and conditions. The patient has or registers for a Facebook account in a different process. Vendors add third-party tracking codes on web pages that transmit off-Facebook activity with no permission from a user.

The off-Facebook activity sent by the vendor is employed to update Facebook’s advertisement interests algorithms. Subsequently, Facebook shows health-associated advertisements according to the users’ health interests. Vendors can tailor advertisements to users with particular health interests, and could likewise try to enhance the data via forms and quizzes, as the lead information sent from Facebook to the CRM system of the vendor.

Privacy Guidelines and Data Sharing Practices Vary

Although digital medicine or genetic testing applications have privacy guidelines that describe how information is gathered and used, in certain instances, the privacy guidelines do not suit actual information-sharing practices. All five applications had privacy guidelines, however, three stated that health information wouldn’t be transmitted to advertisers when data was being shared.

All five applications are likely subject to the Health Breach Notification Rule of the Federal Trade Commission, and two of the application vendors were CLIA-accredited labs that provide clinical genetic and diagnostic testing, and are thus covered by HIPAA. In certain instances, users are monitored and information was being disclosed even if there was no consent given, and in a few instances, users were advised that their health data wouldn’t be given to Facebook or other parties.

A representative of Meta stated that health data shouldn’t be provided on the platform and that it screens and removes health information to keep it from being disclosed to advertisers; nevertheless, the filter doesn’t identify all health information. The researchers mentioned Facebook’s announcement in November 2021 that it is going to remove all specific ad-targeting endpoints for sensitive health data.

The researchers noted that the practice of monitoring users and disclosing their information with Facebook (and other social media sites) may violate government and industry legislation, particularly the FTC’s Health Data Breach Notification Rule and likely HIPAA. Additionally, they state that from the introduction of the Health Data Breach Notification Rule, no enforcement has been issued.

The researchers showed that it’s possible to obtain personal information and personal health information without the help of highly advanced cyberattack strategies but only the usual third-party advertising applications. Although the research did not confirm any deliberate deceit of individuals, it was likewise unclear to what extent these companies knew that user health information is being tracked and provided to Facebook in order to serve targeted ads.

The marketing applications show a dark pattern of monitoring vulnerable patient visits across platforms while they surf on the internet, in a few ways not clear to the firms and patient populations who are using Facebook. Although the digital medicine ecosystem depends on social networks to get and build up their businesses via advertising-associated marketing programs, these practices at times contradict their very own stated privacy guidelines and promises to their customers.

The study entitled Health advertising on Facebook: Privacy and Policy Considerations was publicized in the journal Patterns last August 15, 2022.