Sensitive health data shared with tech giants by major pharmacies

In a recent revelation that has raised eyebrows and concerns about privacy, an investigation conducted by The Markup and KFF Health News has found that twelve of the largest drug stores in the United States have been sharing sensitive health information with social media and advertising platforms. The implicated platforms include Meta (formerly known as Facebook), Google, and Microsoft's search engine, Bing.

What's new

The investigation discovered that when customers browse or purchase products online from these drug stores, their actions are tracked, and the data is shared with these platforms. This means that if you're looking for an at-home HIV test or Plan B emergency contraception online, these platforms may know about it. The shared data is not limited to what products customers viewed or bought; it also includes browsing-related data, making the privacy concerns even more significant.

This practice of data sharing is not confined to a few pharmacies; it's a widespread issue. The investigation found that this kind of sensitive data sharing is happening on the websites of 12 of the U.S.'s biggest drugstores, including grocery store chains that have pharmacies.

Why it matters

Sharing sensitive health information with social media and advertising platforms raises significant privacy concerns. When customers search for or purchase health-related products online, they may believe their actions are private. However, the Markups' investigation's findings suggest otherwise.

The data being shared is not just about what products customers are viewing or purchasing. It also includes browsing-related data, providing these platforms with a detailed picture of a customer's online activity on these drugstore websites. This could lead to targeted advertising based on this sensitive information, which many customers might find intrusive or uncomfortable.

The products involved are not just everyday items; they include sensitive health products such as HIV tests and Plan B emergency contraception. Sharing data related to these products could potentially lead to stigmatization or discrimination. For instance, someone who has purchased an HIV test may not want that information shared due to the stigma associated with HIV/AIDS.

Furthermore, this practice raises questions about consent. Are customers aware that their data is being shared this way when visiting these websites? And if they are, do they fully understand the implications? The investigation's findings suggest that the answer to both questions may be no.

How it works

The mechanism behind this data sharing involves tracking tools known as "pixels." These pixels are embedded in the websites of the drug stores and collect information as the website runs. The information collected includes the products customers view or purchase and browsing-related data.

Pixels work by sending a shopper's IP address, which is essentially a digital mailing address for a person's computer or household internet, to social media giants and other firms. They also send cookies, a way of storing information in a user's browser that helps track a user from page to page as they browse a retailer's site. Cookies can sometimes also associate individuals on a site with their account on a social media platform.

In addition to the IP address and cookies, the pixels often send information about what you've clicked or bought, including sensitive healthcare-related items. This information is often used to target ads, either to you personally or to groups of people that resemble you in demographics or habits.

The investigation found that this practice is not limited to a few websites. It's a widespread issue, with pixels discovered on the websites of 12 of the U.S.'s biggest drugstores, including grocery store chains with pharmacies. This means that a significant number of customers could potentially be affected by this practice.

Related: 98.6% of hospitals use tracking that puts patient privacy at risk

Who's involved

The investigation has implicated several major players in the pharmacy and retail industry. CVS, one of the largest drugstore chains in the U.S., was found to have trackers on its website that were sharing customer data with social media and advertising platforms. But CVS is not alone in this practice.

Other major drugstores, including grocery store chains with pharmacies, were also found to share sensitive customer data. For instance, supermarket giant Kroger was found to be informing platforms like Meta, Bing, Twitter, Snapchat, and Pinterest when a shopper added Plan B to their cart.

In addition to the drugstores, the investigation also implicates several major social media and advertising platforms. These include Meta (formerly Facebook), Google, and Microsoft's search engine, Bing. These platforms receive the data collected by the pixels and use it for targeted advertising.

The investigation's findings suggest that this practice of sharing sensitive customer data is widespread, involving some of the biggest names in the pharmacy, retail, and tech industries. This raises significant concerns about privacy and the handling of sensitive health information.

What they're saying

Oni Blackstock, the founder of Health Justice, said, "HIV testing is the gateway to HIV prevention and treatment services. People living with HIV should have control over whether someone knows their status," she said.

Kroger spokesperson Erin Rolfes stated, "trackers disclose product information, which is not sensitive health information unless one or more inferences are made. Kroger does not make any inferences linking the product information collected or disclosed by trackers to an individual's health condition."

The legal angle

The data-sharing practices of these drugstores and social media platforms have not only raised privacy concerns but have also led to legal action. A class-action lawsuit has been filed against Rite Aid for sharing sensitive health data with Facebook. The lawsuit alleges that Rite Aid violated the Health Insurance Portability and Accountability Act (HIPAA) by sharing protected health information without patient consent.

In a related legal action, Meta has claimed that hospitals using its tracking tools are the liable parties, not Meta itself. This raises important questions about who is responsible for protecting patient data online. It also highlights the potential for HIPAA violations in the use of tracking technologies, an area currently not explicitly addressed by the law. The outcome of these lawsuits could have significant implications for privacy practices in the healthcare industry.

Related: HIPAA Compliant Email: The Definitive Guide

The bigger picture

The investigation's findings and the ensuing legal battles have broader implications beyond these specific cases. They highlight the potential for HIPAA violations in the use of tracking technologies.

HIPAA is a federal law that protects the privacy of patient health information. One of the requirements of HIPAA is that covered entities must obtain patient consent before sharing their PHI with third-party companies. 

With the increasing use of digital technologies in healthcare, there is a growing need for clearer regulations and better privacy protections. Some experts argue that HIPAA is outdated and does not adequately protect patient data in the context of modern technologies. They say that HIPAA should be updated to include specific provisions governing the use of tracking technologies. 

On the other hand, The American Hospital Association argues that treating an IP address as protected health information will restrict public access to credible health information, harming both patients and hospitals. 

What's Next

The ongoing legal battles and public discourse surrounding the use of pixel trackers by pharmacies have brought this issue to the forefront. The implications of these investigations are far-reaching, with potential changes to how online privacy is managed and regulated.

The lawsuits against Meta and other companies involved are still pending. The outcomes of these cases could set important precedents for how patient data is handled and protected, potentially leading to significant changes in the healthcare and tech industries.

In the immediate future, the spotlight on these practices could lead to more transparency from pharmacies and other healthcare providers about their use of pixel trackers and other data-sharing practices. It could also prompt these companies to review and revise their privacy policies and practices.

Moreover, this issue could lead to renewed calls for changes to privacy laws and regulations, including HIPAA. There may be increased pressure on lawmakers to update these laws to address the challenges posed by modern technologies like pixel trackers.