FTC, HHS warn health providers not to use tracking tech in websites, apps
The Federal Trade Commission (FTC) and Department of Health and Human Services (HHS) sent a joint letter to about 130 hospital systems and telehealth providers Thursday, warning of security risks posed by tracking technologies such as the Meta/Facebook Pixel and Google Analytics.
The agencies cautioned that such technologies, typically embedded in websites and mobile apps, collect users’ identifiable information in ways that are hard for consumers to avoid. The agency also said users are often unaware that their health data is disclosed to third parties as a result of the tracking.
“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a prepared statement. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies.”
HHS previously warned about these risks, issuing a bulletin late last year that cautioned health systems and telehealth providers not to use such tracking technologies because they could likely lead to Health Insurance Portability and Accountability Act (HIPAA) violations.
Even companies not governed by HIPAA are responsible for protecting against the unauthorized disclosure of personal health information, the agencies warned. That responsibility extends to when a third party develops their website or mobile app.
The letter highlighted recent FTC enforcement actions against BetterHelp, GoodRx and Premom. It also included a warning from the FTC’s Office of Technology, which cautioned that companies “must monitor the flow of health information to third parties,” saying the unauthorized disclosure of the information could violate the FTC Act and the FTC’s Health Breach Notification Rule.
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.