A New Lawsuit Is a Reminder: Hospitals Are Selling Your Medical Data

Cedars-Sinai Medical Center, the 886-bed hospital where I was born in Los Angeles, has a privacy problem. If you head to the Cedars website today you’ll be greeted by six ad trackers and 17 third-party cookies—according to the Markup’s Backlight tool—and, apparently, that’s an improvement. A class action lawsuit filed in California accuses the mega-hospital of sharing patient data with Google, Microsoft, and Meta, owner of Facebook. It’s a reminder that yes, your medical data is for sale.

According to the lawsuit, spotted by the Register, Cedars shared a wide variety of data with Meta, including the types of medical treatment patients were looking for, details about the doctors they looked up, and even the fact that a patient was making an appointment.

“By way of illustration, if a patient made an appointment with a doctor for treatment of cancer, the tracking code Cedars-Sinai put on its Website conveyed that information to Meta, which in turn allowed Meta to include that patient in marketing target groups that it offered to its other advertising clients who wanted to market to cancer patients,” the complaint reads.

Cedars changed this practice in 2022, but the damage is done, according to plaintiff John Doe (who is suing anonymously, because, you know, privacy). Cedars-Sinai did not immediately respond to a request for comment.

This isn’t the first time the law has gotten involved either. Meta is also being sued for being on the receiving end of the hospital data feeding frenzy.

Does a hospital selling your medical data surprise you? Sadly, it shouldn’t.

As you cruise around the web, you’re constantly being monitored and tracked for targeted ads. Most companies don’t have their own ad targeting operation, so they partner with third-party vendors, like Meta, Google, and countless others, and stick their ad tracking tools into the code of their websites.

In other words, that means that your data is being shared with countless companies you may have never even heard of on a constant basis. The vast majority of apps and websites do this. Many people assume there’s a special exception for medical data. Not exactly.

When I talk to people about this kind of thing at parties (I’m a lot of fun), they’ll say something about HIPAA and wave their hands in the air. Wave your hands all you want, HIPAA isn’t protecting you, even when it should.

Last year, the Markup looked at the top 100 hospitals and found 33 of their websites told Meta every time you tried to book an appointment. After the investigation, the US Department of Health and Human Services chimed in to remind everyone that HIPAA-covered entities are definitely not supposed to share personally identifiable information with outside companies without consent. It seems that hospitals are doing it anyway, and on a massive scale.

So what does HIPAA cover?

The words “HIPAA covered entities” are doing a lot of work here. Let’s be clear: HIPAA is not a law about medical data. It’s a law about doctors, insurance companies, and their business associates. HIPAA’s privacy protections only apply to personally identifiable medical data when it’s in the hands of a health care provider, hospital, insurance company, or another business that is working directly on their behalf. If you’re using an app or a website like GoodRx or WebMD, for example, they aren’t covered by HIPAA in most cases.

That’s left a gaping hole in medical privacy that basically every health tech company has been waltzing through since the dawn of the internet. In the year of our lord 2023, regulators have only just gotten started on dealing with this problem.

At the beginning of February, the Federal Trade Commission got involved and said that it’s illegal to share peoples health data without consent, even if you’re a company that isn’t covered by HIPAA. Based on this reporter’s investigations, the FTC fined GoodRx, a prescription coupon service, $1.5 million for doing just that, and made the company promise to never use medical data for ads again.

It’s not even clear whether the FTC has the authority to regulate here. According to Clinton Mikel, former chairman of an American Bar Association group on e-health and privacy, the FTC would have lost the case if it had to fight it through in court, and settling with GoodRx for a relatively tiny fine was an effort to establish precedent in a “power grab” for more control over medical privacy.

The FTC, unsurprisingly, denied that this was their strategy, and said it’s officially the new cop on the health privacy beat. It remains to be seen whether the FTC’s legal justification for regulating medical data will hold up in court.

Whether or not the FTC is successful, you can assume that for the time being your health information is up for grabs. It will be a long time until it’s clear exactly what the law does and doesn’t allow, and even longer before companies fix their apps and websites to solve these problems—if they ever bother to fix them in the first place.

Why would a hospital share my data with Google and Facebook?

You might be wondering what hospitals like Cedars and companies are doing with this treasure trove of medical records. Well it’s simple… sort of. A hospital wants to target ads at people who visit its website. It shares data with advertising companies to keep track of website visitors and record what they do. Later, that hospital can go back to its advertising partners, pick out people from those data sets, and send them pretty little ads all over the web.

By law, this counts as selling your data. At least, that’s what the California Consumer Privacy Act (CCPA) says, and Cedars is in California, after all. The data business would much prefer us to use the word “share.” It sounds nicer, right? It’s like preschool, but instead of toddlers, it’s multi-billion dollar corporations. And instead of toys, it’s data about your most personal secrets.

If you want to get literal about it, “sharing” is accurate. Ad trackers typically aren’t paying for the kind of data Cedars blasts into the advertising ecosystem. Instead, Cedar’s “shares” it with them. In exchange for advertising services, companies like Meta or Google get to turn around and use that data for other fun stuff. Meta would probably take a larger cut of the profits from these tools if it didn’t get to make some extra cash on the side.

It’s great (maybe)! Everybody is sharing, and everybody is making money. Except you. You still have to pay your medical bills.