This article was co-published with STAT, a national publication that delivers trusted and authoritative journalism about health, medicine, and the life sciences. Sign up for its health tech newsletter here.
A bipartisan group of senators fiercely criticized several prominent telehealth startups for failing to protect their patients’ sensitive health information, citing an investigation by The Markup and STAT, which found dozens of telehealth companies sharing patient data with Facebook, Google, and other major advertising platforms.
“This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,” wrote Sens. Amy Klobuchar (D-MN), Susan Collins (R-ME), Maria Cantwell (D-WA), and Cynthia Lummis (R-WY) in letters sent this month to telehealth companies Monument, Workit Health, and Cerebral requesting information on their data sharing policies.
“Out Of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies
An investigation by The Markup and STAT found 49 out of 50 telehealth websites sharing health data via Big Tech’s tracking tools
The investigation by STAT and The Markup examined the data-sharing practices of 50 direct-to-consumer telehealth companies, including Workit, Monument, and Cerebral. Specifically, the investigation examined what data is shared as companies use trackers from big tech companies—including Meta, Google, TikTok, Microsoft, and Twitter—to target advertisements and follow consumer browsing and buying patterns online.
On 13 of the 50 websites, The Markup and STAT found at least one tracker from major social media and search engine companies that collected patients’ answers to medical questions. Trackers on 25 sites informed at least one big tech platform when users added prescription drugs and other items to their cart or when they checked out with a subscription for a treatment plan.
Patients who visited Workit’s website seeking addiction treatment, for example, were presented with a simple intake form that asked about current opioid and alcohol use, self-harm, and methadone use. The investigation found responses to that survey, along with other personal information, were sent to Facebook. Presented with those findings, Workit said it adjusted how it was using the trackers.
The letters came just days after the Federal Trade Commission reached a $1.5 million settlement with the telehealth services market GoodRx for sharing users’ health data with Facebook, Google, and others for advertising. And it follows a lawsuit filed on Jan. 5 against another telehealth company examined in The Markup and STAT’s investigation, Hey Favor, as well as FullStory, Meta, and ByteDance, the company behind TikTok.
Much of the information shared by such trackers is not protected by the Health Insurance Portability and Accountability Act (HIPAA), the decades-old patient privacy law that was crafted long before virtual care was an option. Still, health privacy experts and former regulators said sharing such sensitive medical information with advertising platforms undercuts patient privacy and trust—and in some cases, could run afoul of fair business laws.
In the letters to executives at the three companies, the lawmakers demanded a list of all third-party platforms they’ve shared user information with over the past three years, along with details about what types of user information they shared. On 35 of the 50 websites, STAT and The Markup found trackers sending individually identifying information to at least one tech company, including names, email addresses, and phone numbers.
Two of the companies targeted by lawmakers—Workit Health and Cerebral—offer online prescriptions of controlled substances, which has been allowed under loosened federal rules during the pandemic. Under federal law, some addiction treatment providers are held to patient privacy standards even stricter than those set out in HIPAA. For example, the physician group that Workit uses for patient care states it is forbidden from acknowledging “to anyone outside of the program that you are a patient or disclos[ing] any information identifying you as a substance use disorder patient” except in narrow situations.
The senators—who gave a deadline of Feb. 10 for the companies to respond—explicitly asked all three companies whether they have ever shared information with a third-party service that could identify their users as someone seeking treatment for addiction, substance use disorder, or a mental health condition.
They also noted that telehealth is an increasingly popular option to expand access to health care for rural and underserved patient communities.
“This access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems,” they wrote.
The Markup’s Todd Feathers and Simon Fondrie-Teitler contributed reporting to this story.
John Wilkerson is a Washington correspondent for STAT who writes about the politics of health care.