The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect sensitive protected health information (PHI) from being disclosed without patient consent. But a study published August 15 in the journal Patterns shows that some PHI is not as secure as expected. Researchers reviewed the tactics of five digital medicine companies and the actions of cross-site tracking software to demonstrate how browsing data related to health topics is shared with Facebook for lead generation and advertising purposes.
“We started doing this research because we want to make sure people understand how they are targeted and followed across different digital platforms, including online health services and social media apps like Facebook,” says co-author Andrea Downing, an independent security researcher and co-founder of the Light Collective, a group created to study cybersecurity risks in the realm of patient privacy. “In my opinion, data gathering and predictive algorithms that are used for advertising and other purposes are one of the biggest threats to online patient communities.”
The investigators focused on five clinical services used by the participants. They reviewed the companies’ websites for third-party ad trackers and looked at whether use of these ad trackers complied with the companies’ own privacy policies. They also looked at Facebook’s ad library for each participant to determine whether health data obtained through these companies influenced the types of ads that the participants were seeing.
“We constantly get bombarded by these ads,” Downing says. “Our question is, why they are being served up to us, and what information do these third parties have in order to serve up these ads?”
The five companies included in the analysis provide information or services (including genetic testing) related to inherited cancer risk. The investigators determined that two of the companies targeted ads but were consistent with their own privacy policies. The other three did not comply with their own policies and claims of privacy. “This loss of privacy can cause harm in the wrong hands, from people who want to scam the patient community or target them with misinformation,” Downing says.
This is the first peer-reviewed study from the Light Collective, which was founded in 2019 to study issues around patient privacy and digital media. Earlier this summer, the Light Collective brought their research to the Markup, a nonprofit news organization focused on the intersection of technology and society. The Markup published a related study about how hospitals share sensitive medical information collected on their websites with advertisers.
“We recognize that this is a small sampling that only scratched the surface, and clearly much more research is needed here,” Downing says. “We want to put this study in the hands of data scientists and to partner with researchers who can expand upon it. There is clearly a much-needed dialogue in this country about the state of health privacy and how it affects all patient populations.”
Eric Perakslis, Executive Director at the Center for Biomedical Informatics at Duke University, was the other co-author of the Patterns paper.