Nearly All Hospital Websites Send Tracking Data to Third Parties

Third-party tracking is used on almost all U.S. hospital websites, endangering patient privacy, a cross-sectional observational study found.

Of 3,747 hospitals included in the 2019 American Hospital Association (AHA) annual survey, 98.6% of their website home pages had at least one third-party data transfer, and 94.3% had at least one third-party cookie.

"In the U.S., third-party tracking is ubiquitous and extensive," researchers led by Ari B. Friedman, MD, PhD of the University of Pennsylvania in Philadelphia, wrote in Health Affairs. "The high number of entities engaged in tracking on hospital websites heightens potential privacy risks to patients."

The tracking data most commonly went to Google's parent company Alphabet (98.5% of homepages), followed by Meta (formerly Facebook), which was used in 55.6% of hospital homepages. Adobe Systems and AT&T collected data from 31.4% and 24.6% of hospital pages, respectively.

"What we found is that it's virtually impossible to look at any hospital website in the country without exposing yourself to some tracking," study coauthor Matthew McCoy, PhD, of the University of Pennsylvania, told MedPage Today. "That's really significant, because even if you were a patient with privacy concerns and you wanted to avoid this kind of thing, what that means is you really don't have an option to do that."

Hospital website home pages had a median of 16 third-party transfers, with more third-party transfers from medium-sized hospitals as opposed to small and large ones (24, 17, and 13 transfers, respectively). Of hospital characteristic factors, membership in a health system, having a primarily urban patient population, and having a medical school affiliation were all significantly associated with a greater number of third-party transfers on hospital website home pages.

On 100 randomly sampled hospital websites, searches for six "potentially sensitive" conditions turned up 30 patient-facing pages for those conditions -- and all had at least one third-party data transfer.

McCoy said the number of companies tracking data on any given website was alarming. "Imagine you were browsing a hospital website for something related to your health, and you had one person looking over your shoulder and gleaning information about your health from a browsing session -- that would probably make you pretty uncomfortable," he said. "Multiply that by 16, by 20, and you've got that many more people looking over your shoulder."

According to the study, "Many of the third parties to which data are transferred have business models built on identifying and tracking people for the purposes of targeting online advertisements." Some tracking companies, like Acxiom, sell the data to other companies or allow health-related profiling, like Adobe and Oracle.

Because of this tracking, patients might see more targeted advertising for drugs, supplements, or insurance based on their personal medical conditions. Health-related information, the authors wrote, could even be used in risk scores that affect credit or insurance eligibility.

Investigative reports by media outlets and lawsuits involving big tech companies and hospitals have thrown this patient privacy problem into high relief, prompting the Department of Health and Human Services to clarify in 2022 that HIPAA protections apply to some data transfers.

Friedman's group suggested policymakers prioritize privacy legislation that prohibits the practice of third-party tracking on hospital websites. Hospitals, they wrote, should audit websites to eliminate tracking, and should also give patients an option to opt out of tracking completely. Not doing so could make hospitals vulnerable to lawsuits over privacy violations.

"Setting aside those kinds of questions about legal liability..., I think most healthcare providers would recognize themselves as having a responsibility to protect the interests of their patients, and that means also protecting their patients' interest in privacy," McCoy said.

Friedman, McCoy, and colleagues used the 2019 AHA annual survey to identify nonfederal, non-acute hospitals and assessed third-party tracking in August 2021. Both the AHA and the Census Bureau's American Community Survey were used to gather the characteristics of these hospitals. If part of a larger health system, some hospitals shared a website.

Researchers used a tool called webXray to record third-party tracking from hospital home pages, count the data transfers that occurred when a page loaded, and linked individual tracking domains to their parent companies.

Limitations of the study included evaluation of only data transfers to third-parties and third-party cookies, but not other forms of tracking. Researchers didn't assess tracking on password protected patient portals and also could not differentiate between uses of data once transferred. They also did not evaluate the contents of the data transfers, only their volume.

Comment