Open the website of Workit Health, and the path to treatment starts with a simple intake form: Are you in danger of harming yourself or others? If not, what’s your current opioid and alcohol use? How much methadone do you use?
Within minutes, patients looking for online treatment for opioid use and other addictions can complete the assessment and book a video visit with a provider licensed to prescribe suboxone and other drugs.
But what patients probably don’t know is that Workit was sending their delicate, even intimate, answers about drug use and self-harm to Facebook.
A joint investigation by STAT and The Markup of 50 direct-to-consumer telehealth companies like Workit found that quick, online access to medications often comes with a hidden cost for patients: Virtual care websites were leaking sensitive medical information they collect to the world’s largest advertising platforms.
On 13 of the 50 websites, STAT and The Markup documented at least one tracker — from Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest — that collected patients’ answers to medical intake questions. Trackers on 25 sites, including those run by industry leaders Hims & Hers, Ro, and Thirty Madison, told at least one big tech platform that the user had added an item like a prescription medication to their cart, or checked out with a subscription for a treatment plan.
The trackers that STAT and The Markup were able to detect, and what information they sent, is a floor, not a ceiling. Companies choose where to install trackers on their websites and how to configure them. Different pages of a company’s website can have different trackers, and this analysis did not test every page on each company’s site.
All but one website examined sent URLs users visited on the site and their IP addresses — akin to a mailing address for a computer, which can be used to link information to a specific patient or household — to at least one tech company. The only telehealth platform that the analysis did not find sharing data with outside tech giants was Amazon Clinic, a platform recently launched by Amazon.
Health privacy experts and former regulators said sharing such sensitive medical information with the world’s largest advertising platforms threatens patient privacy and trust and could run afoul of unfair business practices laws. They also emphasized that privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA) were not built for telehealth. That leaves “ethical and moral gray areas” that allow for the legal sharing of health-related data, said Andrew Mahler, a former investigator at the U.S. Department of Health and Human Services’ Office for Civil Rights.
Continue reading the STAT investigation here.