If you think HIPAA medical privacy laws mean your medical data is secure, think again. Digital health companies have been caught funneling sensitive data that patients have shared with them to Facebook/Meta to help target advertisements.
A recent study by the data privacy research group Light Collective surveyed the actions of five health companies and found that third-party ad trackers used by those companies followed patients online and marketed to them based on their activities. Three of the companies went against their own privacy policies in the process, raising concerns about HIPAA violations.
Four of the five digital health companies did not respond to requests by Forbes for comment. The authors of the study said that after they disclosed their findings to the five companies, only two responded: Ciitizen and Invitae. Both said they were investigating the matter.
Andrea Downing, cofounder of the Light Collective, said that poor health data privacy is “one of the biggest threats to online patient communities.” The study is indicative of larger data-sharing trends across digital health and social media. An investigation published earlier this summer by The Markup showed that hospital websites are currently using data trackers to gather and share sensitive patient information with Facebook for marketing. Facebook’s parent company, Meta, has said that sharing such information is a violation of the company’s rules.
This is a concerning development for digital health privacy. Digital health companies are allegedly violating their own privacy rules and possibly the law. It also demonstrates the failure of the government to ensure critical patient health data is safe and secure.