Guest Post by
Google, Microsoft, Facebook, TikTok and the majority of medical and healthcare websites illegally harvest and sell private health information despite a federal crackdown on the practice, according to a new cybersecurity report by Feroot Security.
Google, Microsoft, Facebook, TikTok and the majority of medical and healthcare websites illegally harvest and sell private health information despite a federal crackdown on the practice, according to a new cybersecurity report.
The report, by Toronto-based cybersecurity firm Feroot Security, analyzed hundreds of healthcare websites and found that more than 86% are collecting private data and transferring it to advertisers, marketers and Big Tech social media companies without user consent and in violation of privacy laws.
As patients or consumers browse their favorite or trusted medical websites or sign in to hospital portals to access their private health records, invisible bits of HTML code — called “tracking pixels” — embedded on the websites harvest private information, such as whether patients have cancer, erectile dysfunction or are behind on their hospital bill.
The information is repackaged and sold for a variety of uses, including to companies that target individual users with internet ads, according to the report.
The risk of having personal data scraped is particularly high on log-in and registration pages where internet users supply troves of information, unaware it is being hijacked and sold. More than 73% of log-in and registration pages have invisible trackers that pirate personal health information, the study found.
Approximately 15% of the tracking pixels analyzed by Feroot record users’ keystrokes, harvesting social security numbers, usernames and passwords, credit card and banking information, and an infinite variety of personal health data, including medical diagnosis and treatment.
The study showed that “Google is the absolute dominant collector” of data. Ninety-two percent of the websites loaded on the Google search engine contained data-harvesting technology across wide sectors of the U.S. economy including healthcare and telehealth, banking and financial services, airlines, e-commerce, and the federal and state governments.
The number two offender was Microsoft with 50.4% of websites on its platform hiding tracking tools, with Facebook next at 50.2% percent and TikTok at 7.41% percent and growing fast.
Google, as the driver of its parent Alphabet, the world’s fourth largest company, is often called “the most powerful company in the world.” It counts on advertising, a lifeblood of the global digital economy, for 80% of its revenue.
Microsoft and Facebook “round up the Top 3” of companies that systematically breach data, the report said.
Representatives of Google, Microsoft, and Facebook denied their companies used tracking pixels to harvest personal data.
Website owners are responsible for controlling data collection, a Google spokesperson said. Google policy prohibits Google Analytics and advertising customers, including for example hospital or telehealth websites, from collecting health data in violation of the U.S. Health Insurance Portability and Accountability Act (HIPAA). It’s up to the websites to determine “whether they are HIPAA-regulated entities and what their obligations are under HIPAA,” Google policy says.
Personal health data collected by a tracker or third party without a user’s consent is a violation of HIPAA, said Feroot CEO Ivan Tsarynny.
Big Tech companies “do have policies that talk about protecting health info,” Tsarynny said. But “the real-world application of these policies is a different story.”
Feroot’s study comes as “concern grows regarding data mining companies using pixels/trackers that load into browsers from websites to collect privacy and sensitive user data,” the report stated.
“Compliance regulators and government authorities are increasingly stepping in with bans, restrictions, and executive orders to curb them.”
Eighteen major hospital systems were sued this year for sharing patients’ sensitive health data with Google, Facebook and other tech giants in violation of privacy laws, according to Becker’s Hospital Review.
They include prominent academic medical centers such as the University of Pittsburgh Medical Center, the University of Chicago Medical Center, the University of Iowa Medical Center, Chicago-based Northwestern Memorial Hospital and the University of California San Francisco Medical Center.
Prompted by growing concerns over data theft and the article, “‘Out of Control’: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies,” Feroot launched an investigation “to ascertain the exact magnitude and pervasiveness of social media pixels/trackers collecting and transferring personal, sensitive, and private data using pixels or trackers.”
The security platform Feroot sells to companies “made it possible to get detailed facts regarding active client-side e-skimming,” the company said.
Feroot collected data on pixels/trackers during an eight-week period in January and February.
The company said it examined more than 3,675 organizations with unique websites in seven economic sectors. It studied 108,836 unique web pages, including especially vulnerable login, registration and credit card processing pages, 227 trackers and 7 million data transfers.
Key findings from ‘Beware of Pixels & Trackers’:
- Pixel trackers are “common and abundant” — an average of 13.16 pixels/trackers were found per website, “with Google, Microsoft, Meta (owner of Facebook), ByteDance (owner of TikTok), and Adobe being some of the most common.”
- “Mission-critical” webpages, such as log-in or registration pages, increase the risk of exposing private information. An average of 5.96% of websites had pixels/trackers on webpages reading user input forms containing privacy or sensitive data.
- Pixel trackers transfer data to foreign locations around the globe — “about 5% of the data transferred by pixels/trackers loaded from US-based websites is sent outside the US.”
- Pixel trackers collect and transfer data without first obtaining the explicit consent of visitors.
- Pixels and trackers are loading from domains banned by the U.S. government and various U.S. states and even from some of those same governments, including Russia and China. Data obtained by Russian and Chinese websites is a security risk from surveillance and spying.
- Meta (owner of Facebook and Instagram) and TikTok, owned by Chinese company ByteDance, were “particularly worrisome” for privacy invasion and surveillance risks. Thirty-four U.S. states, both Republican and Democratic-controlled, have banned the use of TikTok on government devices. Montana in May banned the app on all personal devices.
- TikTok is often present whether or not the TikTok app is deleted. TikTok pixels/trackers can still “load into webpages handling mission-critical user data and can collect and transfer it.”
GoodRX case highlights corporate deceit around data-sharing
While corporations face losing profit and reputation from data breaches or fines for causing them, individuals face a potentially catastrophic loss of privacy when major health websites harvest and sell their information, according to the Federal Trade Commission (FTC).
In February, the FTC fined popular discount drug and telehealth site GoodRx for “failing to report its unauthorized disclosure of consumer health data to Facebook, Google, and other companies.”
The action to “bar GoodRx from sharing consumers’ sensitive health information for advertising” was the FTC’s first enforcement action under its Health Breach Notification Rule.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” FTC Bureau of Consumer Protection Director Samuel Levine said in a news release after the settlement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
The FTC enforcement against GoodRx revealed a particularly egregious, yet not uncommon, example of how corporate health and medical websites betray patient trust and manipulate patient data, the FTC said.
According to the FTC’s complaint, GoodRx violated the law by improperly sharing sensitive personal health information since at least 2017, though it promised otherwise.
The company “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” the FTC charged, and deceptively displayed a seal at the bottom of its telehealth services homepage “falsely suggesting to consumers that it complied with … HIPAA.”
In reality, the FTC complaint said, GoodRx “monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram.”
For example, GoodRx in August 2019 made lists of its users “who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles,” according to the complaint.
“GoodRx then used that information to target these users with health-related advertisements.”
People who accessed GoodRx coupons to purchase, for instance, Viagra would see ads for erectile dysfunction medication on their Facebook or Instagram page ads, the FTC says.
“Similarly, people who had used GoodRx’s telehealth services to get treatment for sexually transmitted diseases would get ads for STD testing services.”
GoodRx disclosed to Facebook the medication purchase data it receives from pharmacy benefit managers and also used the data to target ads.
By using Facebook’s ad targeting platform, the FTC said, “GoodRx designed campaigns that targeted customers with ads based on their health information. For example, if a customer had revealed a possible erectile dysfunction issue to GoodRx, they might have seen an ad on Facebook like Exhibit A in the FTC complaint.”
In February, California-based GoodRx, a $2.1 billion company, paid a $1.5 million civil penalty to the FTC to settle the complaint and denied any wrongdoing.
Howard Danzig, founder and president of Employers Committed to Control Health Insurance Costs, said “fining GoodRx just $1.5 million dollars is not even a slap on the wrist. While many employers are so vigilant about respecting the guidelines of the HIPAA privacy laws, large tech companies basically get a pass.”
“How about major penalties for Facebook, Google and any others who were the beneficiaries of this information?” he wrote on his LinkedIn page with almost 9,000 followers.
“How about determining whether or not there were any criminal violations that should be pursued against the individuals who actually collaborated to do this? How about ‘REPARATIONS’ from the companies involved to the people and customers whose privacy was breached?”
The data breach occurred for “advertising purposes,” he noted. “How far afield can this really be taken and how far afield has it been taken?”
NNOOOOOO!!! If gaggle, microcrap and fakebook all say they are definitely not scrapping and harvesting data, you just gotta believe them. They’d never lie.
/s <— for the stupids
UP-PLUGGED: Is a new phone coming out I just started looking at.
Supposed to take you private and unplugged…thought I would throw this out if anyone is interested or knows more about it?
https://www.unplugged.com/upsuite/
Mark- I don’t trust that as far as I could throw it, what do you think? Good Merikans should be flipping a flip phone that does nothing but phone calls.
BL,
Just saw this today…haven’t done a deep dive on it yet…and I have a tech friend of a like mind researching it.
The devil is always in the details.
That is what I am looking for tech knowledge details.
Posted it for opinions far past my limited tech knowledge…but I believe you can be a ‘Good Merikan’ past just having a flip phone.
When I find out MOUR I will post it in an appropiate thread.
Mark- Yes, look into this and report. I see the smart phone more as a jailer in the open air prison camp. Too many applications coming in the future for control with I Phones and they expect us to pay the freight for this crap. $1000 for a phone and a couple hundred a month to police ourselves up, no thanks.
Abby says I’m over the line saying throw the darn things in the river, she may live to agree with me one day. Depends on your tolerance level for totalitarian BS.
BL,
I always chop my own wood on deep dives…but I put this out to a likeminded friend with a much, much, sharper technology ax then me who I rely on in this area…he has made his living on it, and I know for a fact there are many here with razor sharp tech axes far sharper than mine, and maybe his, if any of them get interested and want to post their insights.
So time will tell, and it will take others far past my knowledge to analyze and pass judgement on this supposed private ‘UP-PLUGGED’ phone technology.
There may come a time when a river toss or a hammer is what is needed.
But Boomers like us telling those raised with cell phones and all they know (for everything) will land on deaf EMF ears.
However if this is new/REAL and not Memorex (we remember that) it could be a better alternative than giving advice that will never, ever be followed by generations with their phones glued to their faces (and I don’t mean you Abby).
I have no idea if this is what it could be…yet.
THX 1138, either free yourself or enjoy the servitude down the road. This is not advice , this is a clear warning. Like, “DON’T GO into the mine field”.
🤣🤣🤣
People Willingly Paid for…https://www.23andme.com/dna-ancestry/, Etc.
GUARANTEED THAT INFO was used for creating the SPRAYED Bio-Weapon.
AND the KILL/STERILITY Injection.
I don’t have medical information databased within the last 30 years. My motto is , “Goy, treat thyself”.
If I live through an illness….great. If I succumb to an illness and die at this ripe old age….Oh well. It is my right to reject the medi-kill system.
“As patients or consumers browse their favorite or trusted medical websites or sign in to hospital portals to access their private health records, invisible bits of HTML code — called “tracking pixels” — embedded on the websites harvest private information, such as whether patients have cancer, erectile dysfunction or are behind on their hospital bill.”
This sounds like the actual data harvesting is originating with the portals themselves … which are, ostensibly, under HIPAA and fully under the control of the medical entity that runs it — in my understanding that means that these hospitals, clinics, etc., are the ones actually doing the original selling of our private information.
BigMedical/BigHospitals have done so much to lose our faith in their ‘practices’ and in their ethics … this is just one more log on a very large fire.
You mean that when you SIGN IN to ANY website, that website could potentially use the information that YOU give them to do nefarious things with the information YOU gave them?
I don’t believe it.