Understanding Why Data Breaches Continue to Plague Digital Health

Lawsuits, congressional attention, and recent reports are all focused on the same unifying topic.

This probably comes as no surprise to read, but during the last couple of years, digital health has been “in.” The COVID-19 pandemic initiated an explosion in the use of technology in the healthcare industry, particularly in the use of the Internet. 

But as the saying goes, every rose has its thorn. And recently, when it comes to digital health, the thorn seems to be data security breaches. Both top telehealth companies and several healthcare systems have been hit with claims that they are sharing and/or selling patient data to advertisers or other third parties without consumers’ permission, or even knowledge.

The various consequences are likely to influence how Congress, the healthcare industry, and the public envision the role of digital health in the future.

In early February, the Federal Trade Commission (FTC) hit popular digital health platform GoodRx with a $1.5 million civil penalty for sharing user health data with third parties for advertising purposes. The FTC stated that GoodRX shared information such as users’ prescription medications and health conditions with companies like Facebook and Google, which in turn used that information to advertise related businesses, services, and products on the users’ accounts. The FTC called on a never-before-used rule called the Health Breach Notification Rule that was expanded in 2021 to address the unauthorized sharing of data; digital health apps are included in its purview. 

Similarly, a bipartisan group of senators sent inquiries this month to three telehealth companies after a recent report indicated that those companies were tracking and sharing private patient data. The lawmakers were extremely concerned following the report, which was released by The Markup and STAT. The report showed how often telehealth companies were engaging in these practices. 

Of the 50 companies looked at, 35 sent personal information with third-party advertisers, 13 shared users’ questionnaire answers, and 11 shared what items users had put into their digital shopping carts. The letters from the senators requested more information on the companies’ data-sharing practices, including a complete list of questions users are asked on the platform, all recipients of tracked user information for the last three years, and information on how the companies plan to protect user data in the future. 

Not even hospitals are immune from scrutiny, as just this month, two large hospital networks and Cedars-Sinai Medical Center in Los Angeles were hit with lawsuits over their data collection and sharing practices. Cedars-Sinai is being sued by a patient, and his lawsuit alleges that he was targeted with extremely specific advertisements and marketing schemes about his chronic illness following treatment at the hospital. 

Cedars-Sinai allegedly uses a website code that led to the hospital’s website gathering, analyzing, and sharing medical data. Two Louisiana health systems have just been hit with similar accusations, with class-action lawsuits being filed following patients seeing similar incidents. 

These are only the latest among several more lawsuits around the country, with another Markup/STAT study finding that dozens of the nation’s top hospitals used similar code on their websites.

When asked about the GoodRx settlement, a director at the FTC was quoted as saying the agency was “serving notice” that it will “protect American consumers’ sensitive data from misuse and illegal exploitation.”

With the senators’ inquiry into telehealth and similar congressional inquiries into Meta’s user data protection, it’s clear that shielding Americans’ private health data is a priority, both legally and legislatively, moving further into the 2023 session.