A California healthcare company, Kaiser Permanente, recently informed millions of its clients that their personal information had been improperly shared with tech companies.

An analysis by Bloomberg News revealed that similar online trackers are still present on the websites of leading healthcare companies in the USA, which millions of their patients are unaware of.

According to the study, Facebook trackers (Meta) could have accessed patients' birthdates and phone numbers on the pharmacy unit website of the Cigna Group. Users registering accounts with the pharmacy unit of UnitedHealth Group Inc. might have accidentally disclosed their Social Security numbers to the marketing service of Adobe Inc.. The websites of the units of CVS Health Corp. allowed the analytics company Quantum Metric to read Social Security numbers, passwords, and birth dates.

«Using trackers like the Facebook tracker on your site raises serious privacy concerns,» says Justin Sherman, founder of the consulting firm Global Cyber Strategies.

On nine out of ten of the largest companies' websites dealing with health insurance, hospitals, and laboratories, advertising and analytics trackers were installed on registration or login pages. These trackers can transmit personal data to third-party companies. Bloomberg News verified these sites using a browser tool from the company Feroot Security, which helps companies find and remove web trackers.

Healthcare Companies with the Most Trackers

Number of trackers on login and registration pages. Trackers can transmit personal information to third-party companies.

A representative from Meta emphasized that their system prohibits advertisers from transmitting sensitive personal data through the company’s tools, and that the system is designed to filter it out when detected. CVS Health reported that the company employs controls that limit or encrypt identifiable information before it is shared with third-party vendors.

Representatives from Cigna, UnitedHealth, Adobe, and Quantum Metric did not provide comments or declined to comment.

Privacy experts warn that trackers on medical sites and apps can transmit personal information such as receiving Viagra prescriptions, pregnancy, or mental health treatment to advertisers and data brokers without patients’ consent.

In a broader study conducted by Feroot last year, it was found that 86% of healthcare and telemedicine websites collect data without user consent and transmit it to large tech companies. Another study published in the JAMA journal this year showed that out of 100 hospital sites, 96 transmitted information to third parties, and most did not specify in their privacy policies where the data was directed.

Federal regulators have been trying to stop the collection of personal data on healthcare sites for several years. The US Federal Trade Commission (FTC) fined several companies for sharing user data. The Department of Health and Human Services (HHS) issued guidance indicating that online trackers may violate federal privacy rules.

In response, healthcare companies have turned to the courts, challenging the HHS stance and claiming it exceeded its authority. They also noted that some government websites use similar technology. In June, a Texas judge ruled against the HHS, limiting its authority to fine healthcare companies for using trackers.

A $250 Billion Market

Trackers collecting personal data are widespread on the Internet. They are also known as pixels, and for most users, they remain unnoticed. However, tech companies and data brokers use them to gather information about users' online behavior.

Experts estimate the market volume of this data in the US at approximately $250 billion.

Sometimes the details are indicated in fine print. For example, in the privacy policy of the Aetna unit of CVS, it is stated that the company collects Social Security numbers, internet addresses, demographic data, and other information. Its trackers can record actions such as “page views, mouse movements, scrolling, text input,” and other site browsing data.

According to Sherman and other cybersecurity experts, the use of trackers on healthcare sites, where confidential data is processed, raises serious privacy concerns and may violate federal rules aimed at protecting patient health information.

According to last year's report by Feroot, about 15% of healthcare-related websites could read precise keystrokes on login pages. This means they could collect Social Security numbers, usernames, passwords, email addresses, appointment times, account information, and medical diagnoses.

Rise in Lawsuits

The lawsuit against Kaiser Permanente alleges that trackers collected names, internet addresses, and search queries, sending them to Google (Alphabet Inc), the social network X, and the search engine Bing (Microsoft Corp). These trackers were placed on password-protected pages, allowing tech companies to create more targeted ads based on user behavior. The complaint was filed in federal court in the Northern District of California in June 2023.

Kaiser stated that the company conducted an internal investigation and removed trackers from its websites and mobile apps. The company sought to have the case dismissed and declined to comment on the lawsuit. Microsoft stated that its policy prohibits the use of medical information for advertising purposes.

Google said that its measurement tools clients, such as Google Analytics, own the collected data, and the company itself does not use it for search engine ad targeting. The company’s policy prohibits clients from using Google Analytics to collect protected health information, and it also prohibits advertising based on health data or other sensitive information, a Google spokesperson said.

Another lawsuit against the Blue Cross Blue Shield Association, filed in November in federal court in Illinois, alleges that a website used for federal employees sent data to TikTok owned by ByteDance Ltd. and other tech companies. This data included users’ search queries on topics such as mental health or pregnancy. The complaint also notes that TikTok itself is banned on federal government phones for national security reasons.

The association sought to have the lawsuit dismissed and declined to comment. A TikTok representative also did not comment on the lawsuit, citing the company’s policy that the pixel should not be placed on sites that may contain personal health information.

According to Ivan Tsarynny, CEO of Feroot, some healthcare companies removed trackers from their sites due to increased pressure. He also noted that he expects more companies to disclose data breaches related to the use of trackers, as Kaiser Permanente did.

It is not always clear where the data collected by trackers goes.

«We don’t always know what the goals of such surveillance are,» notes Charlotte Tschider, professor of cybersecurity law at Loyola University in Chicago. «It is possible that even the medical organizations themselves do not fully understand their actions.»

Other materials on this topic:

• Eternal Cookies
• Websites Share Your Data with Hundreds of Companies
• Study on the Distribution of Yandex Header Bidding Adapters in Runet