Online privacy violations do real harm to patients

Ari Friedman

Ari Friedman (Photo courtesy of Hoag Levins)

A new study shows third-party tracking occurs on nearly all hospital websites, buttressing recent news coverage about consumers’ loss of privacy when they browse for health information online.

In fact, nearly all U.S. hospital websites have been sharing potentially sensitive medical information about their visitors with tech companies, data brokers and advertising firms, according to a University of Pennsylvania analysis published in Health Affairs.

(You can read interviews with journalists covering those privacy breaches here and here.)

The paper says data transfers are likely to make vulnerable patients targets of health scams.

Although no one has documented specific instances, it’s clear that machine learning can identify web users who are more likely to click on deceptive ads, said lead study author Ari Friedman, M.D., Ph.D. Friedman is an assistant professor of emergency medicine, medical ethics and health policy at the University of Pennsylvania and is a co-founder of the Penn-CMU Digital Health Privacy Initiative.

For instance, Friedman said, “older adults with cognitive impairment and multiple chronic health conditions may both have more demand for health products and less ability to differentiate between legitimate pharmaceutical advertising and sham health cures.”

Respect as a quality concern

His team also highlighted a less tangible type of harm: the violation of a person’s privacy, or “dignitary harm.” Medical literature defines this as harm stemming from disrespectful, humiliating or dismissive behavior on the part of a health care system or provider.

Dignitary harm has been gaining the attention of patient safety researchers, who debate whether and how to include it in monitoring and quality improvement, similar to medical errors.

Other examples cited in literature are failures to communicate important health information, humiliating someone because of their weight, lack of care coordination, allowing a patient to be exposed unnecessarily, not using a person’s preferred name or gender, or losing someone’s valuables.

While nothing new, disrespectful behavior is increasingly scrutinized as a factor in patient safety “because it creates conditions in which medical errors are more likely to occur,” according to a recent paper by ethics researchers in the United Kingdom.

For example, researchers wrote, serious or repeated affronts may inhibit patients from having “full and frank” discussions with their doctors or cause them to disengage from health care altogether.

Other experts argue that given health care’s profound role in people’s lives, disrespectful acts can cause emotional harm that should be taken into account even when it doesn’t lead to physical injury.

With online data, Friedman said, “It’s easy to get lost in the more pragmatic explanations for why privacy is important — that it allows advertisers to track you and potentially sell you low-value or snake oil products, for instance — and lose track of the deeper and more intrinsic desire to have some control over what things we share with others.”

Legal backlash

Aside from the patient safety discourse, legal and policy circles have recognized damage from third-party tracking.

Just over a year ago, Mass General Brigham in Boston agreed to an $18.4 million class-action settlement for using tracking tools without prior consent of website visitors. The health system did not admit wrongdoing.

In December 2022, the U.S. Department of Health and Human Services Office for Civil Rights cautioned that some tracking violates HIPAA privacy protections, stating that disclosure of personal health information “may result in a wide range of harms such as identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences.”

Some are pushing for more safeguards around personal health data.

Vox covered how last year’s overturning of Roe v. Wade heightened interest in privacy protections over concern that technology such as period-tracking apps could be used to target women who seek abortions. The American Data Privacy and Protection Act, which would have allowed consumers to opt out of tracking, passed a House committee in 2022 but failed to make it into law.

Marcus Schabacker, M.D., Ph.D., president and CEO of ECRI, a nonprofit patient safety consulting organization, said in a statement that pervasive hospital website tracking “underscores the need to update health technology and information regulations” including HIPAA, which fail to address the “many questionable practices that have developed.”

What the study found

  • Among 3,747 non-federal acute-care hospitals with accessible websites, 98.6% of homepages had at least one data transfer and 94.3% had at least one third-party cookie.
  • Google’s parent company Alphabet took data from 98.5% of homepages, followed by Meta (55.6%), Adobe Systems (31.4%) and AT&T (24.6%).
  • Tracking was just as brisk on hospital web pages pertaining to six sensitive health conditions: breast cancer, Alzheimer’s disease, Crohn’s disease, congestive heart failure, depression and HIV.
  • Hospital staff “might not fully appreciate the privacy implications” of installing free tracking tools, which give them insights into how their sites are used.
  • Hospitals should regularly audit their websites, disclose third-party tracking, and allow patients to easily and permanently opt out of tracking.

Further reading