96% Of Hospitals Share Sensitive Visitor Data With Meta, Google, and Data Brokers
from the greed-has-broken-everything dept
I’ve mentioned more than a few times how the singular hyperventilation about TikTok is kind of silly distraction from the fact that the United States is too corrupt to pass a modern privacy law, resulting in no limit of dodgy behavior, abuse, and scandal. We have no real standards thanks to corruption, and most people have no real idea of the scale of the dysfunction.
Case in point: a new study out of the University of Pennsylvania (hat tip to The Register) analyzed a nationally representative sample of 100 U.S. hospitals, and found that 96 percent of them were doling out sensitive user visitor data to Google, Meta, and a vast coalition of dodgy data brokers.
Hospitals, it should be clear, aren’t legally required to publish website privacy policies that clearly detail how and with whom they share visitor data. Again, because we’re too corrupt as a country to require and enforce such requirements. The FTC does have some jurisdiction, but it’s too short staffed and under-funded (quite intentionally) to tackle the real scope of U.S. online privacy violations.
So the study found that a chunk of these hospital websites didn’t even have a privacy policy. And of the ones that did, about half the time the over-verbose pile of ambiguous and intentionally confusing legalese didn’t really inform visitors that their data was being transferred to a long list of third parties. Or, for that matter, who those third-parties even are:
“…we found that although 96.0% of hospital websites exposed users to third-party tracking, only 71.0% of websites had an available website privacy policy…Only 56.3% of policies (and only 40 hospitals overall) identified specific third-party recipients.”
Data in this instance can involve everything including email and IP addresses, to what you clicked on, what you researched, demographic info, and location. This was all a slight improvement from a study they did a year earlier showing that 98 percent of hospital websites shared sensitive data with third parties. The professors clearly knew what to expect, but were still disgusted in comments to The Register:
“It’s shocking, and really kind of incomprehensible,” said Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania. “People have cared about health privacy for a really, really, really long time.” It’s very fundamental to human nature. Even if it’s information that you would have shared with people, there’s still a loss, just an intrinsic loss, when you don’t even have control over who you share that information with.”
If this data is getting into the hands of dodgy international and unregulated data brokers, there’s no limit of places it can end up. Brokers collect a huge array of demographic, behavioral, and location data, use it to create detailed profiles of individuals, then sell access in a million different ways to a long line of additional third parties, including the U.S. government and foreign intelligence agencies.
There should be hard requirements about transparent, clear, and concise notifications of exactly what data is being collected and sold and to whom. There should be hard requirements that users have the ability to opt out (or, preferably in the cases of sensitive info, opt in). There should be hard punishment for companies and executives that play fast and loose with consumer data.
And we have none of that because our lawmakers decided, repeatedly, that making money was more important than market health, consumer welfare, and public safety. The result has been a parade of scandals that skirt ever closer to people being killed, at scale.
So again, the kind of people that whine about the singular privacy threat that is TikTok (like say FCC Commissioner Brendan Carr, or Senator Marsha Blackburn) — but have nothing to say about the much broader dysfunction created by rampant corruption — are advertising they either don’t know what they’re talking about, or aren’t addressing the full scope of the problem in good faith.
Filed Under: congress, data brokers, health care, health data, hospitals, privacy, privacy law, security, surveillance, tiktok
Companies: google, meta
Comments on “96% Of Hospitals Share Sensitive Visitor Data With Meta, Google, and Data Brokers”
Why is this not a violation of HIPAA?
Re:
Because the information isn’t medical. It’s website visit info.
Re: Re:
I thought medical websites might contain medical info about patients, their correspondence about medications, office visits and test results.
idk.
Re: Re: Re:
If a hospital hosted that information on their public-facing website, then yes, it’d most likely be a HIPAA violation.
But this study is just about which pages people visit, what they search for, etc..
Re: Re:
What the EFF taught me…
https://www.eff.org/deeplinks/2013/06/why-metadata-matters
They don’t know if you feel a burning sensation down there, but they know you searched for STI testing locations.
They don’t know you have depression, but they know you looked up a therapist and the side effects of common antidepressants.
They don’t know you were sexually assaulted, but they know you looked up where to get plan b.
They don’t knwo you have a cardiac condition, but hey they know you searched for cardiologists.
Re: Re: Re:
I’m sure Congress will get right on that. /s
Re: Re: Re:2
Actually, if Congress has an unusually high rate sexually transmitted infections, the thought of that data being leaked might be exactly what finally causes them to act. See the history of the Video Privacy Protection Act, in which they freaked out when they thought their video-rental histories might get out (we can only speculate why).
Re: Re: Re:3
Because they were renting a lot of porn videos featuring mid-surgical transition gay-for-pay trans people?
Re: Re:
This is quite a misleading post title, then, because it says nothing about web sites. It makes it seem like it’s about hospital visitors—particularly given the word “sensitive”.
Also, it’s 96% of U.S. hospitals (assuming the tested sample is representative). There are hospitals in other countries, some of which have strong privacy laws. And it probably would be interesting to compare their sites against the American ones.
Re:
Why do you think it isn’t? Until now people weren’t paying attention.
Many of them probably will hide behind exceptions for data analysis and utilization and consent from a TOS that 71% have that don’t really apply, but serve as a fig leaf. If anyone even tries to hold them to account, which they wont, because laws don’t exist to protect you. They exist to protect the hospitals.
Anyone “shocked” by this has not been paying attention to anything for a long time. Our healthcare system, like everything else in this Casino Nation of ours, is designed to funnel money to the wealthy.
It costs money to develop a privacy policy and keep it updated. That’s just another piece of perpetual overhead, that does nothing to pad the pockets of the owners.
Likewise, paying someone to engineer a website from scratch costs more than having them pull a bunch of off-the-shelf libraries from shady third parties.
They don’t have money to take care of patients. Increasingly, they don’t have money to keep their doors open. Every dollar spent on patient privacy is a dollar that private equity can’t squeeze from the medical system.
None of this is surprising. This is literally what our economic model incentivizes.
Re:
“They don’t have money to take care of patients. Increasingly, they don’t have money to keep their doors open.”
The (red) state laws are responsible for medical staff leaving the (red) state and, for some, the profession. People are being turned away from the ER because the state laws say medical procedures that may be needed are illegal and said medical staff could be prosecuted and incarcerated … for saving lives.
It is not about money, it is total politics and disgusting.
Hospitals need to make up their losses some where. Lord knows its hard to make a profit on $400/Aspirin and procedures that cost 2-5 times more than any other developed country in the world. How are the CEOs of these hospitals supposed to get their golden parachutes?
96% Of Hospitals Share Sensitive Visitor Data With Meta, Google, and Data Brokers
I guess I’m just slow today. I read the headline and figured they were tracking visitors to the actual hospital rather than the website.
Re:
Yes, because a parent taking their child to the ER will generate a lot of data about themselves. 🤦♂️