The Opioid Policy Institute (OPI) and Legal Action Center (LAC) today released the findings from a 16-month analysis of a dozen major substance-use-focused mHealth websites, revealing details of how much data is shared with third parties. While the sharing of any kind of patient information is often strictly regulated or outright forbidden, it’s even more verboten in addiction treatment, as patients’ medical history can be inherently criminal and stigmatized. Generally, patients seeking treatment for substance use disorders, or SUDs, are protected not only by the Health Insurance Portability and Accountability Act (HIPAA) but by a law called 42 CFR Part 2 (commonly known as “Part 2”), which guarantees the confidentiality of treatment records and protects individuals from having their treatment history used against them. Browsing histories, however, exist in a gray area, and though it’s not exactly medical information, experts find these sites’ monitoring of it concerning. The OPI and LAC analysis used Blacklight, a privacy tool created by news nonprofit The Markup to analyze the websites for Bicycle Health, Boulder Care, Bright Heart Health, Confidant Health, DynamiCare Health, Kaden, Loosid, Ophelia, PursueCare, reSET-O, SoberGrid, and WorkItHealth on four timepoints from March 2021 to July 2022. All 12 websites included technologies that collect, identify, and share information about users with third parties and had ad trackers that are used for advertising purposes. The average number of these trackers “generally” increased over the 16 months, researchers found. Furthermore, 11 of the sites used third-party session cookies that identify visitors and track them across other websites to serve ads, and four of the 12 used session recording, which monitors the behavior of visitors to the sites, from their mouse movements and clicks to their scrolling and typing, even if the text input is never submitted. Half of the websites used Meta Pixel to send user data to Facebook, 10 used Google Analytics (which can track user metrics), and all 12 sent some data to ad tech companies that buy and sell user data for advertising. Many of the providers highlight their commitment to “privacy” on their websites. However, as Regina LaBelle, director of the Addiction and Public Policy Initiative at Georgetown Law’s O’Neill Institute, explains, “In the addiction policy field, when we define our position about privacy, I think it is much more comprehensive than what is laid out in some of the companies’ definitions of privacy.” Pointing to the recent case of a Nebraska teen who was charged for self-administering a miscarriage after police reviewed her Facebook messages, Dr. Westley Clark, who formerly lead health IT initiatives at the Substance Abuse and Mental Health Services Administration, drew a parallel: “It won’t take long for the narcotics section of criminal justice to realize that the abortion section of criminal justice has tools that they can also use,” Clark says. “With these technologies, all I have to do is get an administrative subpoena … if I suspect you of being an addict. I can go to Facebook. I can go to Google.” He also expresses concern that for the right price, entities holding such data wouldn’t even require a warrant to hand it over. Clark cautions that he isn’t aware of law enforcement looking at data from addiction-focused mHealth sites but believes it could happen in the post-Roe world. He, like other experts contacted for this story, is a strong proponent of telehealth as a tool to tackle the ever-expanding overdose crisis and wants to see telemedicine companies do a better job of protecting patient privacy. LaBelle says she thinks these mHealth companies are helmed by “well-meaning people who want to do good but may not understand the totality of the issues that are involved in getting people the services they need, and how critically important a broad definition of privacy is to protect these people.” The Legal Action Center’s Dr. Jackie Seitz, one of the authors of the research, says she also appreciates the value of these online services and questions whether providers themselves realize “all the different, leaky ways that the information they’re collecting about patients is sort of floating out.” One person who does know about those leaky ways is Sean O’Brien, a lecturer on cybersecurity at Yale Law School who founded the Privacy Lab at Yale’s Information Society Project. He worked with the OPI and LAC on previous research that focused on mobile apps in the addiction telehealth space and lamented that it’s “shocking” to see mHealth providers still using so many third-party trackers despite the fact they’ve been “under the microscope” for some time now. “They’re just sharing it with everybody they can,” he says, adding that what he finds particularly problematic is the caching of the data on servers, where someone could “scoop up” the information. Boulder Care CEO Stephanie Strong says her company is subject to HIPAA and Part Two and “takes patient privacy extremely seriously.” She adds that her company uses digital advertising and web measurement tools “sparingly” (indeed, Boulder Care used fewer of the tools than others in the report) and limits the use of ad tracking software to website visitors and inquiries only, without reporting back to Google or Meta on any actions that could be “indicative of actual treatment.” Patient care is delivered by Boulder’s app, which does not use any tracking software. Lisa McLaughlin, who was co-CEO of WorkIt Health at the time she provided comment but has since departed the business, says the company “is committed to creating a safe place for our members to receive discreet and accessible virtual care.” A representative for Confidant Health echoes that the company recognizes the importance of privacy in SUD care and will “continue to adhere to HIPAA and similar legislation as well as upholding our own internal protocols which we developed to protect our members.” Representatives from other companies included in the study did not deny the use of the third parties that researchers identified, but they maintained that this poses no threat to patient privacy and is in keeping with standards across the internet and in the medical space. Nick Mercadante, founder and CEO of PursueCare, says his company does not collect, store, or forward protected health information from visiting users, and that patients don’t receive their care directly on the PursueCare site. He also said PursueCare does not share protected health information (PHI) with third parties, though it does “utilize Facebook Pixel and Google Analytics for internal reporting purposes.” “It is a reality that users of most websites on the internet today are subject to collection of user data,” Mercadante says. “Health-care-related websites, including those of health systems, hospitals, inpatient care facilities, and other brick-and-mortar care facilities, are no different.” Pear Therapeutics, responsible for reSET-O, notes it doesn’t share PHI without patient consent, does not use any digital footprints to identify user identities, and reports data “on an aggregated and de-identified basis.” Experts remain concerned by the collection of the data in the first place, de-identified or not, but acknowledge that what’s happening here isn’t illegal and is likely to continue for that reason. Danielle Tarino, who formerly led the health IT team at SAMHSA and now works in cybersecurity, has spent a considerable chunk of her career investigating the privacy implications of mHealth, especially for people with substance use disorders. She believes the best shot at protecting privacy will come from the creation and implementation of additional tools. “This is how small tech businesses work, and absent anyone telling you that you’re not allowed to do that, you’re allowed to do that,” she says, questioning whether the sites’ use of ad trackers and outside software boils down to finances. Clark, too, expresses concerns that the use of data collection is financially motivated and, for the right price, could be sold or leased to law enforcement or other parties. “When there’s monetary incentives, people make the changes. When there are no monetary incentives, they don’t,” he says. In short, data privacy experts don’t anticipate that mHealth companies will stop collecting data unless forced. Another patient who uses one of the companies analyzed by the OPI and LAC was alarmed by the findings.“They should [be required to] have a service that prevents them from being able to track anything like that,” he says. “How much is my information worth?” he asks, questioning whether data from his and other patients’ website use was more valuable than the few hundred dollars they generate each month as patients. “It’s so scary. This is the first time in my life I’m not on probation in 10 years. Now, I’m not. Thinking that someone could really just look at that … Who knows what’s going to happen?” Update 10:15 am EST, 11-18-22: WorkIt Health says that Lisa McLaughlin left the company between the time she provided comment and publication. We’ve updated the piece to reflect that she is no longer WorkIt Health’s co-CEO.
