Online trackers are prevalent on the websites of the largest healthcare companies in the U.S., often without the awareness of the patients they serve, Bloomberg reported July 11.
A Bloomberg analysis found that trackers from Meta Platforms' Facebook were able to access sensitive information such as dates of birth and phone numbers on Cigna Group's pharmacy unit website. Additionally, partial Social Security numbers entered on UnitedHealth Group's pharmacy benefit division website could be sent to Adobe's marketing service. Websites affiliated with CVS Health allowed Social Security numbers, passwords and dates of birth to be read by analytics company Quantum Metric.
A Meta representative told the news outlet that advertisers are not supposed to transmit sensitive personal information via the company's tools, and that Meta's system is engineered to filter out such data when it is detected. CVS Health told Bloomberg that they have measures in place to restrict or encrypt identifiable information before sharing it with third-party vendors. Representatives from Cigna, UnitedHealth, Adobe and Quantum Metric declined to comment or did not respond to Bloomberg's requests for a statement.
Additionally, the investigation revealed that websites run by nine of the 10 largest publicly traded health insurance, hospital and lab companies had advertising and analytics trackers installed on user registration or login pages, where personal information could be accessed by third-party companies. This data was gathered using a browser tool from Toronto-based Feroot Security, which specializes in identifying and removing web trackers.
According to the report, privacy advocates have warned that trackers on health websites and apps might expose intimate details of patients' lives, such as prescriptions, pregnancy status and mental health treatment, to advertisers and data brokers without consent. A Feroot study from 2023 found that 86% of healthcare and telehealth websites collected data without users' consent, sending it to big tech companies. Another analysis published in JAMA in 2024 found that 96% of 100 hospital websites transmitted information to third-party companies, often without disclosing this in their privacy policies.
Federal regulators have long sought to curb the collection of personal data on health websites. The Federal Trade Commission has fined telehealth companies for sharing user data, and HHS issued guidance that online trackers could violate federal health privacy rules. However, a recent court ruling in Texas limited HHS' ability to penalize healthcare companies for using trackers, complicating enforcement efforts.
Trackers, also known as pixel trackers, collect personal data by recording user behavior on websites. This data fuels a $250 billion market for personal information sold to advertisers, according to the report. For example, Bloomberg found that CVS's Aetna unit's privacy policy indicates that it collects a wide range of personal data, including Social Security numbers and browsing behavior, which could be used by trackers to gather sensitive information.
Legal actions are on the rise. A lawsuit against Oakland, Calif.-based Kaiser Permanente alleges that trackers collected and transmitted patients' names, internet addresses and search terms to tech companies such as Google, X (formerly Twitter) and Microsoft's Bing. Kaiser Permanente has removed the trackers and is seeking to dismiss the case. Another lawsuit against the Blue Cross Blue Shield Association claims that a website for the federal employees’ health plan sent data to TikTok and other tech companies.
In response to growing pressure, some healthcare companies have started removing trackers from their websites. However, the full extent of the data collected and its eventual use remains unclear, according to Bloomberg.