Bipartisan probe of Telehealth companies that shared private patient data with Facebook, Google

The following is an excerpt from STAT News.

A bipartisan group of senators fiercely criticized several prominent tele-health startups for failing to protect sensitive health information, citing an investigation by STAT and The Markup which found dozens of tele-health companies sharing patient data with Facebook, Google and other major advertising platforms.

“This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,” wrote Sens. Amy Klobuchar (D-Minn.), Susan Collins (R-Maine), Maria Cantwell (D-Wash.) and Cynthia Lummis (R-Wyo.) in letters sent this month to telehealth companies Monument, Workit Health, and Cerebral requesting information on their data sharing policies.

The investigation by STAT and The Markup examined the data-sharing practices of 50 direct-to-consumer telehealth companies, including Workit, Monument, and Cerebral.

Specifically, the investigation examined what data is shared as companies use trackers from big tech companies — including Meta, Google, TikTok, Microsoft, and Twitter — to target advertisements and follow consumer browsing and buying patterns online.

For patients visiting online health care platforms, that data can be deeply personal. On 13 of the 50 websites, STAT and The Markup found at least one tracker from major social media and search engine companies that collected patients’ answers to medical questions.

Trackers on 25 sites informed at least one big tech platform when users added prescription drugs and other items to their cart, or when they checked out with a subscription for a treatment plan.

The letters come just days after the Federal Trade Commission reached a $1.5 million settlement with the telehealth services market GoodRx for sharing users’ health data with Facebook, Google and others for advertising.

And it follows a lawsuit filed Jan. 5 against another telehealth company examined in the STAT and The Markup investigation, Hey Favor, as well as FullStory, Meta, and ByteDance, the company behind TikTok.

Much of the information shared by such trackers is not protected by the Health Insurance Portability and Accountability Act, the decades-old patient privacy law that was crafted long before virtual care was an option.

Still, health privacy experts and former regulators said sharing such sensitive medical information with advertising platforms undercuts patient privacy and trust — and in some cases, could run afoul of fair business laws.