Healthcare startups are scrambling to reassess how their websites and apps are built, and how third parties may, inadvertently or not, be putting patients’ protected health information at risk.
In March, U.S. mental health startup Cerebral admitted it shared the private health information of more than 3 million users with Facebook, Google, TikTok and other ad giants via so-called tracking pixels. These near-invisible bits of code are typically embedded in web pages to share information about users’ activity, often for analytics. Cerebral said these trackers inadvertently collected sensitive user data since it began operating in October 2019.
In its disclosure to the U.S. Department of Health and Human Services (HHS), Cerebral said that following a review of its code, it “determined that it had disclosed certain information that may be regulated as protected health information under [the Health Insurance Portability and Accountability Act],” or HIPAA, as it’s commonly referred to. This information included patients’ phone numbers, IP addresses, insurance information, mental health assessment responses and associated clinical data.
This data lapse is the third-largest breach of health data in 2023, according to the HHS, which is investigating the breach. However, while Cerebral’s lapse ranks among the most serious and damaging, the breach is just one of many currently being investigated by HHS — and this list is likely to grow.
More casualties
Last year, a joint investigation by STAT and The Markup found that dozens of hospital websites and telehealth startups were sharing patients’ medical information with advertisers and tech giants.
Out of 50 direct-to-consumer telehealth firms the reporters evaluated, 13 had at least one tracker that collected patients’ answers to medical intake questions, and 25 told at least one Big Tech platform that a user had added a personal data point, such as medication, to their cart. Almost every website they tested sent information about which of their webpages users accessed as well as users’ web addresses to at least one tech company.
Many of these companies, including Cerebral, believed that their use of pixel trackers did not violate HIPAA because the company itself doesn’t provide care but rather only connects patients with healthcare providers. Monument, a site that offers alcohol treatment, also claimed to be HIPAA-compliant, despite the fact it was sharing with advertisers the personal information and health data of its patients without their consent.
In light of the investigations and the lawsuits that followed, HHS’ Office for Civil Rights, which enforces HIPAA, updated its guidance on using tracking technologies. The agency advised that pixel trackers cannot be used in a way that would result in “impermissible disclosures” of a person’s health data to tech companies or any other HIPAA violations.
HHS isn’t alone in taking action. The Federal Trade Commission recently settled with digital healthcare platforms GoodRx and BetterHelp for allegedly sharing user health data with third parties, warning of the hidden impacts of pixel tracking technology on the healthcare industry.
A recent study in the journal Health Affairs found that third-party tracking tools are used on nearly 99% of hospital websites. This means that as a result of this recent crackdown, almost all healthcare startups — many of which may not have known that their marketing tools are sending patient information to third parties — are now clambering to reassess how their websites and apps are built and how they are putting patients’ protected health information at risk.
Cory Brennan, a cybersecurity and technology attorney at Taft Stettinius and Hollister, said: “It could not be more important to be able to really get a full inventory and scope of those tracking technologies — and then also to start testing them — to see exactly what information is being tracked and transmitted through the use of those technologies.”
Stay on track
The healthcare industry’s use of pixel trackers has come under regulatory scrutiny in recent months, but it is unlikely to be the only industry to be targeted as the practice of harvesting data through web trackers becomes more widely known.
Whether it’s healthcare, finance or education, companies need to know that the use of tools designed to surreptitiously collect user data can lead to violations of regulations and run-ins with privacy laws. This means companies have to ensure such tools are used correctly, give users the option to opt out of tracking and only collect information that they are actually going to use.
Founders and leaders also need to make sure that their whole business understands the risks: If your marketing team doesn’t fully understand privacy regulations, and your legal team doesn’t have a handle on how the marketing tools work, you’re likely going to end up in hot water down the line.
When it comes to the healthcare industry, it’s likely that we’ll be seeing more disclosures as the cleanup continues. Don’t let your startup be the next casualty.