Almost 99 percent of hospital websites give patient data to advertisers

Outside companies have a troubling amount of access to users' medical information, according to new research.
Empty Bed Gurney in Hospital Corridor
Of over 3,700 hospitals surveyed, almost 99 percent used third-party tracking codes on their websites. Deposit Photos

Last summer, The Markup published a study revealing that roughly one-third of the websites of Newsweek’s top 100 hospitals in America utilized the Meta Pixel. In doing so, a small bit of coding provided the namesake social media giant with patients’ “medical conditions, prescriptions, and doctor’s appointments” for advertising purposes. 

The most recent deep dive into third-party data tracking on medical websites, however, is even more widespread. According to researchers at the University of Pennsylvania, you could be hard-pressed to find a hospital website that doesn’t include some form of data tracking for its visitors.

As detailed in a new study published in Health Affairs, a survey of 3,747 non-federal, acute care hospitals with emergency departments taken from a 2019 American Hospital Association survey showed that nearly 99 percent used at least one type of website tracking code that offered data to third-parties. Around 94 percent of those same facilities included at least one third-party cookie. Outside companies receiving the most data included Google-owners at Alphabet (98.5 percent), Meta (55.6 percent), and Adobe Systems (31.4 percent). Other third-parties regularly included AT&T, Verizon, Amazon, Microsoft, and Oracle.

[Related: Two alcohol recovery apps shared user data without their consent.]

The Health Insurance Portability and Accountability Act (HIPAA) prohibits data tracking “unless certain conditions are met,” according to The HIPAA Journal. That said, the Journal explains most third-parties receiving the data aren’t HIPAA-regulated, and thereby the transferred data’s uses and disclosures are “largely unregulated.”

“The transferred information could be used for a variety of purposes, such as serving targeted advertisements related to medical conditions, health insurance, or medications,” explains The HIPAA Journal before cautioning, “What actually happens to the transferred data is unclear.”

In an emailed statement provided to PopSci, Marcus Schabacker, President and CEO of the independent healthcare monitoring nonprofit ECRI says they are “deeply disturbed” by the study’s results. “Besides the severe violation of privacy, ECRI is concerned this data will allow nefarious, bad actors to target vulnerable people living with severe health conditions with advertisements for non-evidence-based snake oil ‘treatments’ that cost money and do nothing—or worse, cause injury or death,” Schabacker adds.

[Related: How data brokers threaten your privacy.]

The ECRI urged hospitals to “immediately” stop data tracking by removing third party coding and “along with advertisers, take responsibility or be held liable for any harm that can be traced back to a data sharing arrangement.” Additionally, Schabacker argued that the revelations once again underscored the need to update health tech and information regulations, including HIPAA, which they allege does not address many “questionable practices” that have arisen since near ubiquitous pixel-tracking strategies.

As The HIPAA Journal also notes, litigation is all-but-assured. In 2021, three Boston-area hospitals agreed to pay over $18 million in settlement against allegations they shared users’ data to third parties without patients’ consent, and that “many more lawsuits against healthcare providers are pending.”