D2C telehealth companies are the latest to erode privacy

The news: A joint investigation by STAT and The Markup organization found 49 of 50 direct-to-consumer (D2C) virtual care websites, from Cerebral to Workit, were sending consumers’ sensitive medical information to big tech and social media platforms.

  • 13 of the 50 had at least one tracker that collected patients’ answers to medical intake questions, including trackers for Meta, Google, TikTok, Bin, Snap, Twitter, LinkedIn, and Pinterest.
  • 25 sites had trackers that told at least one big tech platform if users added an item like a prescription medication to their cart or checked out a subscription for a treatment plan. Those sites included D2C telehealth leaders Hims & Hers, Ro, and Thirty Madison.
  • Other shared data included URLs of sites the users visited, personal contact information, and when users created accounts.
  • Amazon Clinic, a text-based telehealth service just launched in November, was the only site that did not show any trackers, the researchers said.

How they got here: In June 2022, STAT and The Markup jointly published findings from their investigation of data-sharing practices among the top 100 US hospitals. One-third of those studied were sending sensitive patient data to Facebook through its Meta pixel, the computer code that Facebook offers to websites to allow them to track visitors.

  • Details about medical conditions, prescriptions, and doctors’ appointments were sent to Facebook.
  • Data was collected and sent whenever a person clicked a button to schedule an appointment.
  • The report found the Meta pixel was installed inside the password-protected patient portals of seven health systems.
  • One result: Meta now faces several large class-action suits over the June report.

HIPAA’s no help: The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) doesn’t address the magnitude of technology changes that have taken place since its enactment. And consumers are confused about what it protects and what it doesn’t.

  • Most telehealth companies don’t provide care themselves. Their websites serve to connect patients with healthcare providers in employed or contracted medical groups.
  • “HIPAA-compliant” statements about patient privacy on D2C websites may encourage users to share more information, but their data is still shared with third parties.
  • The Federal Trade Commission oversees HIPAA violations and has brought cases previously for deceptive use of HIPAA-compliant badges on some sites.

This will backfire, eventually: Consumer trust is at stake for all digital health companies, not just D2C telehealth startups.

Digital trust is the confidence people have that a platform or company will protect their information and provide a safe environment for them. Once it’s lost by one group of healthcare providers, suspicion could taint all patient interactions going forward.

A just-published survey from Trusted Future found half of respondents (49%) used apps for fitness or wellbeing, or stored health-related data on their mobile devices from doctors, hospitals, or insurance companies (45%).

But there was no doubt about their sentiments on privacy and security around their personal health data.

  • 82% are concerned their private data could be sold without their consent
  • 82% are concerned it could be shared with others without their permission
  • And 81% are concerned it could be lost or stolen and show up in public somehow.

Go deeper: Our sixth annual Digital Trust Benchmark 2022 shows how losing consumers’ trust is affecting nine major social media platforms. With the latest STAT/Markup report, digital health startups could see similar sentiments rising in 2023.

This article originally appeared in Insider Intelligence's Digital Health Briefing—a daily recap of top stories reshaping the healthcare industry. Subscribe to have more hard-hitting takeaways delivered to your inbox daily.