Some protected health information (PHI) is not as secure as expected. Browsing data related to health topics is shared with Facebook for lead generation.
Some protected health information (PHI) is not as secure as expected, revealed study. Researchers reviewed the tactics of five digital medicine companies and the actions of cross-site tracking software to demonstrate how browsing data related to health topics is shared with Facebook for lead generation and advertising purposes.
‘The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect sensitive protected health information (PHI) from being disclosed without patient consent.’
“We started doing this research because we want to make sure people understand how they are targeted and followed across different digital platforms, including online health services and social media apps like Facebook,” says co-author Andrea Downing, an independent security researcher and co-founder of the Light Collective, a group created to study cybersecurity risks in the realm of patient privacy. “In my opinion, data gathering and predictive algorithms that are used for advertising and other purposes are one of the biggest threats to online patient communities.”
Cybersecurity in Healthcare
To conduct the analysis, the investigators recruited ten patient advocates and asked them to share data on how some of their online activities were being tracked. The investigators focused on patient advocates working in the hereditary cancer community space, particularly moderators of Facebook-based support groups. The participants were asked to download and share their JavaScript Object Notation (JSON) files. These files reveal how data are shared between web servers and web apps. The investigators used these files to determine how information flows from health-related websites and apps to Facebook for the purposes of targeted advertising.The investigators focused on five clinical services used by the participants. They reviewed the companies’ websites for third-party ad trackers and looked at whether use of these ad trackers complied with the companies’ own privacy policies. They also looked at Facebook’s ad library for each participant to determine whether health data obtained through these companies influenced the types of ads that the participants were seeing.
“We constantly get bombarded by these ads,” Downing says. “Our question is, why they are being served up to us, and what information do these third parties have in order to serve up these ads?”
The five companies included in the analysis provide information or services (including genetic testing) related to inherited cancer risk. The investigators determined that two of the companies targeted ads but were consistent with their own privacy policies. The other three did not comply with their own policies and claims of privacy. “This loss of privacy can cause harm in the wrong hands, from people who want to scam the patient community or target them with misinformation,” Downing says.
This is the first peer-reviewed study from the Light Collective, which was founded in 2019 to study issues around patient privacy and digital media. Earlier this summer, the Light Collective brought their research to the Markup, a nonprofit news organization focused on the intersection of technology and society. The Markup published a related study about how hospitals share sensitive medical information collected on their websites with advertisers.
Advertisement
Eric Perakslis, Executive Director at the Center for Biomedical Informatics at Duke University, was the other co-author of the Patterns paper.
Advertisement