FTC, HHS warn hospitals of risks from online tracking tools, and potential penalties

Health systems, and companies in many industries, use online tools to learn more about their customers, but those technologies carry security risks, federal officials say.

The Federal Trade Commission and the Department of Health and Human Services have issued a warning about the risk of data breaches tied to online tracking tools.

The agencies sent a joint letter last week to 130 health systems and telehealth providers to advise them about the privacy risks of tracking tools, including those used by Meta, the parent of Facebook, and Google Analytics. Federal officials said the tools could disclose personal health data to other parties, including health conditions, medications, and where patients are going for treatment.

The letter alluded to the FTC’s recent penalties for the disclosure of health data, which include fines exceeding $1 million.

“As recent FTC enforcement actions demonstrate, it is essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app,” the letter states.

The letter said such breaches could lead to identity theft and distress for patients.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.

Melanie Fontes Rainer, director of the HHS Office of Civil Rights, said the agency is concerned about the disclosures of private health data.

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” she said in a statement.

Cybersecurity experts say health systems and hospitals have experienced more data breaches in recent months. There’s been an uptick in breaches tied to cyberattacks, including ransomware attacks.

• Read more: The 10 biggest health data breaches in the first half of 2023

However, some breaches have been tied to the disclosure of patient data through tracking tools, and some of those incidents have affected millions of patients.

Advocate Aurora Health suffered a breach and the organization said it was tied to tracking tools from Facebook and Google, and the breach affected as many as 3 million patients. The breach occurred before Advocate Aurora completed its merger with Atrium Health.

Community Health Network said last November that it suffered a similar breach. Community said in a statement it worked with service providers to use web-based tracking technologies provided by Google and Facebook. That breach affected 1.5 million patients.

Federal regulators also point out that they have issued penalties for disclosures of patient information.

The FTC issued an action against GoodRx Holdings Inc., which provides discounted drugs and telehealth services, directing them to stop sharing health data with other parties for advertising purposes. GoodRx agreed to pay a $1.5 million penalty in what the FTC said was the first enforcement action of its kind.

In March, the FTC ordered Better Health to pay a $7.8 million fine for failing to protect private health data. Regulators said the company disclosed health information with Facebook and SnapChat for advertising.

“The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation,” Levine said in a statement last week.

In this video interview from December 2022, Lee Kim, senior principal for cybersecurity and privacy for HIMSS, discusses ways hospitals can protect their systems.