A New Lawsuit Is a Reminder: Hospitals Are Selling Your Medical Data
Cedars-Sinai Medical Center, the 886-bed hospital where I was born in Los Angeles, has a privacy problem. If you head to the Cedars website today you’ll be greeted by six ad trackers and 17 third-party cookies—according to the Markup’s Backlight tool—and, apparently, that’s an improvement. A class action lawsuit filed in California accuses the mega-hospital of sharing patient data with Google, Microsoft, and Meta, owner of Facebook. It’s a reminder that yes, your medical data is for sale.
According to the lawsuit, spotted by the Register, Cedars shared a wide variety of data with Meta, including the types of medical treatment patients were looking for, details about the doctors they looked up, and even the fact that a patient was making an appointment.
“By way of illustration, if a patient made an appointment with a doctor for treatment of cancer, the tracking code Cedars-Sinai put on its Website conveyed that information to Meta, which in turn allowed Meta to include that patient in marketing target groups that it offered to its other advertising clients who wanted to market to cancer patients,” the complaint reads.
Cedars changed this practice in 2022, but the damage is done, according to plaintiff John Doe (who is suing anonymously, because, you know, privacy). Cedars-Sinai did not immediately respond to a request for comment.
This isn’t the first time the law has gotten involved either. Meta is also being sued for being on the receiving end of the hospital data feeding frenzy.
G/O Media may get a commission
Safe Haven Health
Accessible for all
Safe Haven prioritizes your needs with flexible and individuated substance abuse treatment, specifically opioid & alcohol addiction.
Does a hospital selling your medical data surprise you? Sadly, it shouldn’t.
As you cruise around the web, you’re constantly being monitored and tracked for targeted ads. Most companies don’t have their own ad targeting operation, so they partner with third-party vendors, like Meta, Google, and countless others, and stick their ad tracking tools into the code of their websites.
In other words, that means that your data is being shared with countless companies you may have never even heard of on a constant basis. The vast majority of apps and websites do this. Many people assume there’s a special exception for medical data. Not exactly.
When I talk to people about this kind of thing at parties (I’m a lot of fun), they’ll say something about HIPAA and wave their hands in the air. Wave your hands all you want, HIPAA isn’t protecting you, even when it should.
Last year, the Markup looked at the top 100 hospitals and found 33 of their websites told Meta every time you tried to book an appointment. After the investigation, the US Department of Health and Human Services chimed in to remind everyone that HIPAA-covered entities are definitely not supposed to share personally identifiable information with outside companies without consent. It seems that hospitals are doing it anyway, and on a massive scale.
So what does HIPAA cover?
The words “HIPAA covered entities” are doing a lot of work here. Let’s be clear: HIPAA is not a law about medical data. It’s a law about doctors, insurance companies, and their business associates. HIPAA’s privacy protections only apply to personally identifiable medical data when it’s in the hands of a health care provider, hospital, insurance company, or another business that is working directly on their behalf. If you’re using an app or a website like GoodRx or WebMD, for example, they aren’t covered by HIPAA in most cases.
That’s left a gaping hole in medical privacy that basically every health tech company has been waltzing through since the dawn of the internet. In the year of our lord 2023, regulators have only just gotten started on dealing with this problem.
At the beginning of February, the Federal Trade Commission got involved and said that it’s illegal to share peoples health data without consent, even if you’re a company that isn’t covered by HIPAA. Based on this reporter’s investigations, the FTC fined GoodRx, a prescription coupon service, $1.5 million for doing just that, and made the company promise to never use medical data for ads again.
It’s not even clear whether the FTC has the authority to regulate here. According to Clinton Mikel, former chairman of an American Bar Association group on e-health and privacy, the FTC would have lost the case if it had to fight it through in court, and settling with GoodRx for a relatively tiny fine was an effort to establish precedent in a “power grab” for more control over medical privacy.
The FTC, unsurprisingly, denied that this was their strategy, and said it’s officially the new cop on the health privacy beat. It remains to be seen whether the FTC’s legal justification for regulating medical data will hold up in court.
Whether or not the FTC is successful, you can assume that for the time being your health information is up for grabs. It will be a long time until it’s clear exactly what the law does and doesn’t allow, and even longer before companies fix their apps and websites to solve these problems—if they ever bother to fix them in the first place.
Why would a hospital share my data with Google and Facebook?
You might be wondering what hospitals like Cedars and companies are doing with this treasure trove of medical records. Well it’s simple… sort of. A hospital wants to target ads at people who visit its website. It shares data with advertising companies to keep track of website visitors and record what they do. Later, that hospital can go back to its advertising partners, pick out people from those data sets, and send them pretty little ads all over the web.
By law, this counts as selling your data. At least, that’s what the California Consumer Privacy Act (CCPA) says, and Cedars is in California, after all. The data business would much prefer us to use the word “share.” It sounds nicer, right? It’s like preschool, but instead of toddlers, it’s multi-billion dollar corporations. And instead of toys, it’s data about your most personal secrets.
If you want to get literal about it, “sharing” is accurate. Ad trackers typically aren’t paying for the kind of data Cedars blasts into the advertising ecosystem. Instead, Cedar’s “shares” it with them. In exchange for advertising services, companies like Meta or Google get to turn around and use that data for other fun stuff. Meta would probably take a larger cut of the profits from these tools if it didn’t get to make some extra cash on the side.
It’s great (maybe)! Everybody is sharing, and everybody is making money. Except you. You still have to pay your medical bills.
Ski collision x-rays shown as Goop mogul complains about court photographs – live
Florida man turns $50 into $1 million after playing scratch-off game
“Acropalypse” Android screenshot bug turns into a 0-day Windows vulnerability
The Crows Have Always Been the Best Part of Shadow and Bone
Moment police rescue woman stabbed 29 times and left to die by ex-partner she met on Match.com
This Is the Best Running Gear I’ve Found for Short Runners
What Are Toothpaste Tablets? Plus 5 Options to Try in 2023: Bite, Huppy, Hello, Unpaste
A Ransomware Gang Claims It Hacked Amazon’s Ring
The US banking crisis isn’t over yet – far from it
Liverpool XI vs Real Madrid that made Steven Gerrard quit Anfield for good
$100 From Chase Stokes’ Mom Helped the Actor Land His ‘Outer Banks’ Part
So much for the NK-Japan ‘Pyongyang Declaration’
Jaylen Brown remains vague when asked to clarify comments about his future with Celtics
‘Pawn Stars’: How Much Is Chumlee Paid Per Episode in 2023?
Financial System Shakeup Has Begun
Finance12 hours ago
Don’t Fight The Fed
News15 hours ago
Why Trump Is Reviving Years-Old Accusations Against DeSantis
Sport15 hours ago
TikTok basketball star Haley Cavinder silences Indiana crowd after sending Miami to Sweet 16
Wellness12 hours ago
Hydrow Rower Review 2023: It Helped Hone My Confidence in a Whole New Kind of Workout
Auto18 hours ago
BMW M340i Autobahn Run Shows You Don’t Always Need An M3
News15 hours ago
21 captured in operations against FETÖ in Türkiye
Auto15 hours ago
See The New BMW M5 Testing At And Around The Nürburgring
Lifestyle22 hours ago
Vanessa Hudgens Sets Philippines Travel Documentary Exploring Her Family’s Asian Heritage