An investigation by The Markup and STAT found 49 out of 50 telehealth websites sharing health data via Big Tech’s tracking tools

Virtual care websites were leaking sensitive medical information they collect to the world’s largest advertising platforms.

URLs users visited:49 sites Personal info (e.g. full name, email, phone):35 sites When user initiated checkout:19 sites User’s answers to questionnaires:13 sites When user added to the cart:11 sites When user created an account:9 sites

On 13 of the 50 websites, we documented at least one tracker—from Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest—that collected patients’ answers to medical intake questions.

Health privacy experts and former regulators said sharing such sensitive medical information with the world’s largest advertising platforms threatens patient privacy and trust and could run afoul of unfair business practices laws. They also emphasized that privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA) were not built for telehealth. That leaves “ethical and moral gray areas” that allow for the legal sharing of health-related data

Google:47 sites Facebook:44 sites Bing:27 sites TikTok:23 sites Snapchat:15 sites Pinterest:11 sites Linkedin:9 sites Twitter:7 site

Rather than providing care themselves, telehealth companies often act as middlemen connecting patients to affiliated providers covered by HIPAA. As a result, information collected during a telehealth company’s intake may not be protected by HIPAA, while the same information given to the provider would be.

Together, the companies in this analysis reflect an increasingly competitive—and lucrative—direct-to-consumer health care market. The promise of a streamlined, private prescription process has helped telehealth startups raise billions as they seek to capitalize on a pandemic-driven boom in virtual care.

The industry’s rapid growth has been enhanced by its ability to use data from tools like pixels to target advertisements to increasingly specific patient populations and to put ads in front of users who have visited their site before.

“It’s a pure monetization play,” said Eric Perakslis, chief science and digital officer at the Duke Clinical Research Institute. “And yes, everybody else is doing it, it’s the way the internet works.… But I think that it’s out of step with medical ethics, clearly.”

The increased attention reflects growing fears about how health data may be used once it enters the black boxes of corporate data warehouses—whether it originates from a hospital, a location tracker, or a telehealth website.

“The health data market just continues to kind of spiral out of control, as you’re seeing here,” said Perakslis.

But thanks to their business structures, many of the companies behind telehealth websites appear to be operating on the outskirts of health privacy regulations.

The telehealth companies that responded to our detailed queries said their data-sharing practices adhered to their privacy policies. Those kinds of policies commonly include notice that some—but not all—health data shared with the site is subject to HIPAA. Many companies responded that they were careful to ensure that data shared via third-party tools was not considered protected health information.

But the structure of those companies’ businesses—and the inscrutable language in their privacy policies and terms of use—make it difficult for consumers to know what data would qualify as protected, and when.

Further complicating decisions for patients, at least 12 of the direct-to-consumer companies we examined promise on their websites that they are “HIPAA-compliant.” That could encourage users to think all the data they share is protected and lead them to divulge more, said Hartzog. Yet the regulations apply to the websites’ data use only in limited cases.

Facebook’s transparency tool…did not provide details about the specific data Facebook ingested during those interactions. A TikTok pixel collected some of that same information from RexMD, but TikTok’s report on our “usage data from third-party apps and websites” had just one line: “You have no data in this section.”

On some websites, users’ data was also being collected by “custom events,” meaning that a website owner deliberately created a custom tracking label that could have a phrase such as “checkout” in it but wouldn’t necessarily show up in the tech platforms’ transparency tools.

Without updated laws and regulations, experts said patients are left to the whims of rapidly evolving telehealth companies and tech platforms, who may choose to change their privacy policies or alter their trackers at any time.