The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect sensitive protected health information (PHI) from being disclosed without patient consent. But a study published August 15 in the journal Patterns shows that some PHI is not as secure as expected. Researchers reviewed the tactics of five digital medicine companies and the actions of cross-site tracking software to demonstrate how browsing data related to health topics is shared with Facebook for lead generation and advertising purposes.
“We started doing this research because we want to make sure people understand how they are targeted and followed across different digital platforms, including online health services and social media apps like Facebook,” says co-author Andrea Downing, an independent security researcher and co-founder of the Light Collective, a group created to study cybersecurity risks in the realm of patient privacy. “In my opinion, data gathering and predictive algorithms that are used for advertising and other purposes are one of the biggest threats to online patient communities.”
To conduct the analysis, the investigators recruited ten patient advocates and asked them to share data on how some of their online activities were being tracked. The investigators focused on patient advocates working in the hereditary cancer community space, particularly moderators of Facebook-based support groups. The participants were asked to download and share their JavaScript Object Notation (JSON) files. These files reveal how data are shared between web servers and web apps. The investigators used these files to determine how information flows from health-related websites and apps to Facebook for the purposes of targeted advertising.
The investigators focused on five clinical services used by the participants. They reviewed the companies’ websites for third-party ad trackers and looked at whether use of these ad trackers complied with the companies’ own privacy policies. They also looked at Facebook’s ad library for each participant to determine whether health data obtained through these companies influenced the types of ads that the participants were seeing.
“We constantly get bombarded by these ads,” Downing says. “Our question is, why they are being served up to us, and what information do these third parties have in order to serve up these ads?”
The five companies included in the analysis provide information or services (including genetic testing) related to inherited cancer risk. The investigators determined that two of the companies targeted ads but were consistent with their own privacy policies. The other three did not comply with their own policies and claims of privacy. “This loss of privacy can cause harm in the wrong hands, from people who want to scam the patient community or target them with misinformation,” Downing says.
This is the first peer-reviewed study from the Light Collective, which was founded in 2019 to study issues around patient privacy and digital media. Earlier this summer, the Light Collective brought their research to the Markup, a nonprofit news organization focused on the intersection of technology and society. The Markup published a related study about how hospitals share sensitive medical information collected on their websites with advertisers.
“We recognize that this is a small sampling that only scratched the surface, and clearly much more research is needed here,” Downing says. “We want to put this study in the hands of data scientists and to partner with researchers who can expand upon it. There is clearly a much-needed dialogue in this country about the state of health privacy and how it affects all patient populations.”
Eric Perakslis, Executive Director at the Center for Biomedical Informatics at Duke University, was the other co-author of the Patterns paper.
###
This research was supported by the Robert Wood Johnson Foundation Pioneering Ideas Program.
Patterns, Downing et al. “Health Advertising on Facebook: Privacy & Policy Considerations” https://www.cell.com/patterns/fulltext/S2666-3899(22)00172-6
Patterns (@Patterns_CP), published by Cell Press, is a data science journal publishing original research focusing on solutions to the cross-disciplinary problems that all researchers face when dealing with data, as well as articles about datasets, software code, algorithms, infrastructures, etc., with permanent links to these research outputs. Visit: https://www.cell.com/patterns. To receive Cell Press media alerts, please contact press@cell.com.