96% of US hospital websites share visitor info with Meta, Google, data brokers

Hospitals – despite being places where people implicitly expect to have their personal details kept private – frequently use tracking technologies on their websites to share user information with Google, Meta, data brokers, and other third parties, according to research published today.

Academics at the University of Pennsylvania analyzed a nationally representative sample of 100 non-federal acute care hospitals – essentially traditional hospitals with emergency departments – and their findings were that 96 percent of their websites transmitted user data to third parties.

Additionally, not all of these websites even had a privacy policy. And of the 71 percent that did, 56 percent disclosed specific third-party companies that could receive user information.

"It's shocking, and really kind of incomprehensible," said Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania, who – along with Matthew McCoy, Angela Wu, Sam Burdyl, Yungjee Kim, Noell Kristen Smith, and Rachel Gonzales – authored the paper.

"People have cared about health privacy for a really, really, really long time," Friedman noted in an interview with The Register. "It's very fundamental to human nature. Even if it's information that you would have shared with people, there's still a loss, just an intrinsic loss, when you don't even have control over who you share that information with."

There's an intrinsic loss when you don't even have control over who you share that information with 

The researchers' latest work builds on a study they published a year ago of 3,747 US non-federal hospital websites. That found 98.6 percent tracked and transferred visitors' data to large tech and social media companies, advertising firms, and data brokers.

To find the trackers on websites, the team checked out each hospitals' homepage on January 26 using webXray, an open source tool that detects third-party HTTP requests and matches them to the organizations receiving the data. They also recorded the number of third-party cookies per page. 

Who is viewing your data?

One name in particular stood out, in terms of who was receiving website visitors' information.

"In every study we've done, in any part of the health system, Google, whose parent company is Alphabet, is on nearly every page, including hospitals," Friedman observed.

"From there, it declines," he continued. "Meta was on a little over half of hospital webpages, and the Meta Pixel is notable because it seems to be one of the grabbier entities out there in terms of tracking."

Both Meta and Google's tracking technologies have been the subject of criminal complaints and lawsuits over the years – as have some healthcare companies that shared data with these and other advertisers. 

In addition, between 20 and 30 percent of the hospitals share data with Adobe, Friedman noted. "Everybody knows Adobe for PDFs. My understanding is they also have a tracking division within their ad division."

Others include telecom and digital marketing companies like The Trade Desk and Verizon, plus tech giants Oracle, Microsoft, and Amazon, according to Friedman. Then there's also analytics firms including Hotjar and data brokers such as Acxiom.

"And two thirds of hospital websites had some kind of data transfer to a third-party domain that we couldn't even identify," he added.

Of the 71 hospital website privacy policies that the team found, 69 addressed the types of user information that was collected. The most common were IP addresses (80 percent), web browser name and version (75 percent), pages visited on the website (73 percent), and the website from which the user arrived (73 percent).

Only 56 percent of these policies identified the third-party companies receiving user information.

While this puts hospital website visitors at risk of having their data collected and shared with others that they may not want, it also poses a risk to the hospitals themselves, the researchers noted.

Hospitals aren't legally required to publish website privacy policies that detail how they collect visitors' data and with whom they share it. But if they do have a privacy policy, they better make sure their processes on deleting personal information upon request, for example, follow the government polices – or they could face the wrath of regulators like the Federal Trade Commission.

• Nearly 1M medical records feared stolen from City of Hope cancer centers
• Ransomware can mean life or death at hospitals. DEF CON hackers to the rescue?
• US to probe Change Healthcare's data protection standards as lawsuits mount
• Ignore Uncle Sam's 'voluntary' cybersecurity goals for hospitals at your peril

"Websites that collect specific categories of information from certain users may also be subject to other federal and state-specific requirements in terms of data collection and notice," the paper warns.

"While the suit against Mass General Brigham and the Dana Farber Cancer Institute was brought under Massachusetts law, plaintiffs have brought similar class action lawsuits in multiple states."

Mass General Brigham ended up paying an $18.4 million settlement to resolve a class action lawsuit that alleged the institutions shared personally identifiable information about patients to Facebook, Google, and other companies.

A fundamental rethink

Of course, the data privacy threat extends beyond hospital websites, as  Friedman is quick to point out.

"Why do hospitals have tracking on their webpages?" he wondered. "It's not that they're taking kickbacks from Google and Acxiom, data brokers and advertisers and social media companies that sell their patients' data in exchange for money.

"They're doing it because this stuff is ubiquitous across the whole web. They're doing it because there's an entire tens of billions of dollars ad economy."

While it presents a major challenge for healthcare providers in general and hospitals specifically, it's also an opportunity.

"Many hospitals are academic hospitals and have computer science departments that they could collaborate with, and design new tools and startups, which is something universities are good at doing," Friedman noted. "Build a new web that doesn't involve as much tracking.

But in the meantime, and in lieu of any federal data privacy law in the US, protecting personal information falls to the individual. And for that,  Friedman recommends browser-based tools Ghostery and Privacy Badger, which identify and block transfers to third-party domains.

"It impacts your browsing experience almost none," he explained. "It's free. And you will be shocked at how much tracking is actually happening, and how much data is actually flowing to third parties." ®