>A joint investigation by STAT and The Markup of 50 direct-to-consumer telehealth companies like WorkIt found that quick, online access to medications often comes with a hidden cost for patients: Virtual care websites were leaking sensitive medical information they collect to the world’s largest advertising platforms. > >On 13 of the 50 websites, we documented at least one tracker—from Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest—that collected patients’ answers to medical intake questions. Trackers on 25 sites, including those run by industry leaders Hims & Hers, Ro, and Thirty Madison, told at least one big tech platform that the user had added an item like a prescription medication to their cart, or checked out with a subscription for a treatment plan.  > >The trackers that STAT and The Markup were able to detect, and what information they sent, is a floor, not a ceiling. Companies choose where to install trackers on their websites and how to configure them. Different pages of a company’s website can have different trackers, and we did not test every page on each company’s site. > >All but one website examined sent URLs users visited on the site and their IP addresses—akin to a mailing address for a computer, which can be used to link information to a specific patient or household—to at least one tech company. The only telehealth platform that we didn’t observe sharing data with outside tech giants was Amazon Clinic, a platform recently launched by Amazon. > >Health privacy experts and former regulators said sharing such sensitive medical information with the world’s largest advertising platforms threatens patient privacy and trust and could run afoul of unfair business practices laws. They also emphasized that privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA) were not built for telehealth. That leaves “ethical and moral gray areas” that allow for the legal sharing of health-related data, said Andrew Mahler, a former investigator at the U.S. Department of Health and Human Services’ Office for Civil Rights. > >“I thought I was at this point hard to shock,” said Ari Friedman, an emergency medicine physician at the University of Pennsylvania who researches digital health privacy. “And I find this particularly shocking.”

This is, to put it mildly, not good. There need to be clear standards and requirements for any organization, public or private, to safekeep health data and metadata. Meaningful sanctions need to also be in place for those who violate these standards. Given the current situation, it would not be surprising if insurance companies and the like are buying all the data they can to help build out profiles on the people they insure to determine coverage and premiums.