This article was originally published by The Defender — Children’s Health Defense’s News & Views Website.
Google, Microsoft, Facebook, TikTok and the majority of medical and healthcare websites illegally harvest and sell private health information despite a federal crackdown on the practice, according to a new cybersecurity report.
The report, by Toronto-based cybersecurity firm Feroot Security, analyzed hundreds of healthcare websites and found that more than 86% are collecting private data and transferring it to advertisers, marketers and Big Tech social media companies without user consent and in violation of privacy laws.
As patients or consumers browse their favorite or trusted medical websites or sign in to hospital portals to access their private health records, invisible bits of HTML code — called “tracking pixels” — embedded on the websites harvest private information, such as whether patients have cancer, erectile dysfunction or are behind on their hospital bill.
The information is repackaged and sold for a variety of uses, including to companies that target individual users with internet ads, according to the report.
The risk of having personal data scraped is particularly high on log-in and registration pages where internet users supply troves of information, unaware it is being hijacked and sold. More than 73% of log-in and registration pages have invisible trackers that pirate personal health information, the study found.
Approximately 15% of the tracking pixels analyzed by Feroot record users’ keystrokes, harvesting social security numbers, usernames and passwords, credit card and banking information, and an infinite variety of personal health data, including medical diagnosis and treatment.
The study showed that “Google is the absolute dominant collector” of data. Ninety-two percent of the websites loaded on the Google search engine contained data-harvesting technology across wide sectors of the U.S. economy including healthcare and telehealth, banking and financial services, airlines, e-commerce, and the federal and state governments.
The number two offender was Microsoft with 50.4% of websites on its platform hiding tracking tools, with Facebook next at 50.2% percent and TikTok at 7.41% percent and growing fast.
Google, as the driver of its parent Alphabet, the world’s fourth largest company, is often called “the most powerful company in the world.” It counts on advertising, a lifeblood of the global digital economy, for 80% of its revenue.
Microsoft and Facebook “round up the Top 3” of companies that systematically breach data, the report said. Representatives of Google, Microsoft, and Facebook denied their companies used tracking pixels to harvest personal data.
Website owners are responsible for controlling data collection, a Google spokesperson said. Google policy prohibits Google Analytics and advertising customers, including for example hospital or telehealth websites, from collecting health data in violation of the U.S. Health Insurance Portability and Accountability Act (HIPAA). It’s up to the websites to determine “whether they are HIPAA-regulated entities and what their obligations are under HIPAA,” Google policy says.
Personal health data collected by a tracker or third party without a user’s consent is a violation of HIPAA, said Feroot CEO Ivan Tsarynny.
Big Tech companies “do have policies that talk about protecting health info,” Tsarynny said. But “the real-world application of these policies is a different story.”
Feroot’s study comes as “concern grows regarding data mining companies using pixels/trackers that load into browsers from websites to collect privacy and sensitive user data,” the report stated.
“Compliance regulators and government authorities are increasingly stepping in with bans, restrictions, and executive orders to curb them.”
Eighteen major hospital systems were sued this year for sharing patients’ sensitive health data with Google, Facebook and other tech giants in violation of privacy laws, according to Becker’s Hospital Review.
They include prominent academic medical centers such as the University of Pittsburgh Medical Center, the University of Chicago Medical Center, the University of Iowa Medical Center, Chicago-based Northwestern Memorial Hospital and the University of California San Francisco Medical Center.
Prompted by growing concerns over data theft and the article, “‘Out of Control’: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies,” Feroot launched an investigation “to ascertain the exact magnitude and pervasiveness of social media pixels/trackers collecting and transferring personal, sensitive, and private data using pixels or trackers.”
The security platform Feroot sells to companies “made it possible to get detailed facts regarding active client-side e-skimming,” the company said.
Feroot collected data on pixels/trackers during an eight-week period in January and February.
The company said it examined more than 3,675 organizations with unique websites in seven economic sectors. It studied 108,836 unique web pages, including especially vulnerable login, registration and credit card processing pages, 227 trackers and 7 million data transfers.
Key findings from ‘Beware of Pixels & Trackers’:
- Pixel trackers are “common and abundant” — an average of 13.16 pixels/trackers were found per website, “with Google, Microsoft, Meta (owner of Facebook), ByteDance (owner of TikTok), and Adobe being some of the most common.”
- “Mission-critical” webpages, such as log-in or registration pages, increase the risk of exposing private information. An average of 5.96% of websites had pixels/trackers on webpages reading user input forms containing privacy or sensitive data.
- Pixel trackers transfer data to foreign locations around the globe — “about 5% of the data transferred by pixels/trackers loaded from US-based websites is sent outside the US.”
- Pixel trackers collect and transfer data without first obtaining the explicit consent of visitors.
- Pixels and trackers are loading from domains banned by the U.S. government and various U.S. states and even from some of those same governments, including Russia and China. Data obtained by Russian and Chinese websites is a security risk from surveillance and spying.
- Meta (owner of Facebook and Instagram) and TikTok, owned by Chinese company ByteDance, were “particularly worrisome” for privacy invasion and surveillance risks. Thirty-four U.S. states, both Republican and Democratic-controlled, have banned the use of TikTok on government devices. Montana in May banned the app on all personal devices.
- TikTok is often present whether or not the TikTok app is deleted. TikTok pixels/trackers can still “load into webpages handling mission-critical user data and can collect and transfer it.”
GoodRX case highlights corporate deceit around data-sharing
While corporations face losing profit and reputation from data breaches or fines for causing them, individuals face a potentially catastrophic loss of privacy when major health websites harvest and sell their information, according to the Federal Trade Commission (FTC).
In February, the FTC fined popular discount drug and telehealth site GoodRx for “failing to report its unauthorized disclosure of consumer health data to Facebook, Google, and other companies.”
The action to “bar GoodRx from sharing consumers’ sensitive health information for advertising” was the FTC’s first enforcement action under its Health Breach Notification Rule.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” FTC Bureau of Consumer Protection Director Samuel Levine said in a news release after the settlement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
The FTC enforcement against GoodRx revealed a particularly egregious, yet not uncommon, example of how corporate health and medical websites betray patient trust and manipulate patient data, the FTC said.
According to the FTC’s complaint, GoodRx violated the law by improperly sharing sensitive personal health information since at least 2017, though it promised otherwise.
The company “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” the FTC charged, and deceptively displayed a seal at the bottom of its telehealth services homepage “falsely suggesting to consumers that it complied with … HIPAA.”
In reality, the FTC complaint said, GoodRx “monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram.”
For example, GoodRx in August 2019 made lists of its users “who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles,” according to the complaint.
“GoodRx then used that information to target these users with health-related advertisements.”
People who accessed GoodRx coupons to purchase, for instance, Viagra would see ads for erectile dysfunction medication on their Facebook or Instagram page ads, the FTC says.
“Similarly, people who had used GoodRx’s telehealth services to get treatment for sexually transmitted diseases would get ads for STD testing services.”
GoodRx disclosed to Facebook the medication purchase data it receives from pharmacy benefit managers and also used the data to target ads.
By using Facebook’s ad targeting platform, the FTC said, “GoodRx designed campaigns that targeted customers with ads based on their health information. For example, if a customer had revealed a possible erectile dysfunction issue to GoodRx, they might have seen an ad on Facebook like Exhibit A in the FTC complaint.”
In February, California-based GoodRx, a $2.1 billion company, paid a $1.5 million civil penalty to the FTC to settle the complaint and denied any wrongdoing.
Howard Danzig, founder and president of Employers Committed to Control Health Insurance Costs, said “fining GoodRx just $1.5 million dollars is not even a slap on the wrist. While many employers are so vigilant about respecting the guidelines of the HIPAA privacy laws, large tech companies basically get a pass.”
“How about major penalties for Facebook, Google and any others who were the beneficiaries of this information?” he wrote on his LinkedIn page with almost 9,000 followers.
“How about determining whether or not there were any criminal violations that should be pursued against the individuals who actually collaborated to do this? How about ‘REPARATIONS’ from the companies involved to the people and customers whose privacy was breached?”
The data breach occurred for “advertising purposes,” he noted. “How far afield can this really be taken and how far afield has it been taken?”
This article was originally published by The Defender — Children’s Health Defense’s News & Views Website under Creative Commons license CC BY-NC-ND 4.0. Please consider subscribing to The Defender or donating to Children’s Health Defense.
Five Things New “Preppers” Forget When Getting Ready for Bad Times Ahead
The preparedness community is growing faster than it has in decades. Even during peak times such as Y2K, the economic downturn of 2008, and Covid, the vast majority of Americans made sure they had plenty of toilet paper but didn’t really stockpile anything else.
Things have changed. There’s a growing anxiety in this presidential election year that has prompted more Americans to get prepared for crazy events in the future. Some of it is being driven by fearmongers, but there are valid concerns with the economy, food supply, pharmaceuticals, the energy grid, and mass rioting that have pushed average Americans into “prepper” mode.
There are degrees of preparedness. One does not have to be a full-blown “doomsday prepper” living off-grid in a secure Montana bunker in order to be ahead of the curve. In many ways, preparedness isn’t about being able to perfectly handle every conceivable situation. It’s about being less dependent on government for as long as possible. Those who have proper “preps” will not be waiting for FEMA to distribute emergency supplies to the desperate masses.
Below are five things people new to preparedness (and sometimes even those with experience) often forget as they get ready. All five are common sense notions that do not rely on doomsday in order to be useful. It may be nice to own a tank during the apocalypse but there’s not much you can do with it until things get really crazy. The recommendations below can have places in the lives of average Americans whether doomsday comes or not.
Note: The information provided by this publication or any related communications is for informational purposes only and should not be considered as financial advice. We do not provide personalized investment, financial, or legal advice.
Secured Wealth
Whether in the bank or held in a retirement account, most Americans feel that their life’s savings is relatively secure. At least they did until the last couple of years when de-banking, geopolitical turmoil, and the threat of Central Bank Digital Currencies reared their ugly heads.
It behooves Americans to diversify their holdings. If there’s a triggering event or series of events that cripple the financial systems or devalue the U.S. Dollar, wealth can evaporate quickly. To hedge against potential turmoil, many Americans are looking in two directions: Crypto and physical precious metals.
There are huge advantages to cryptocurrencies, but there are also inherent risks because “virtual” money can become challenging to spend. Add in the push by central banks and governments to regulate or even replace cryptocurrencies with their own versions they control and the risks amplify. There’s nothing wrong with cryptocurrencies today but things can change rapidly.
As for physical precious metals, many Americans pay cash to keep plenty on hand in their safe. Rolling over or transferring retirement accounts into self-directed IRAs is also a popular option, but there are caveats. It can often take weeks or even months to get the gold and silver shipped if the owner chooses to close their account. This is why Genesis Gold Group stands out. Their relationship with the depositories allows for rapid closure and shipping, often in less than 10 days from the time the account holder makes their move. This can come in handy if things appear to be heading south.
Lots of Potable Water
One of the biggest shocks that hit new preppers is understanding how much potable water they need in order to survive. Experts claim one gallon of water per person per day is necessary. Even the most conservative estimates put it at over half-a-gallon. That means that for a family of four, they’ll need around 120 gallons of water to survive for a month if the taps turn off and the stores empty out.
Being near a fresh water source, whether it’s a river, lake, or well, is a best practice among experienced preppers. It’s necessary to have a water filter as well, even if the taps are still working. Many refuse to drink tap water even when there is no emergency. Berkey was our previous favorite but they’re under attack from regulators so the Alexapure systems are solid replacements.
For those in the city or away from fresh water sources, storage is the best option. This can be challenging because proper water storage containers take up a lot of room and are difficult to move if the need arises. For “bug in” situations, having a larger container that stores hundreds or even thousands of gallons is better than stacking 1-5 gallon containers. Unfortunately, they won’t be easily transportable and they can cost a lot to install.
Water is critical. If chaos erupts and water infrastructure is compromised, having a large backup supply can be lifesaving.
Pharmaceuticals and Medical Supplies
There are multiple threats specific to the medical supply chain. With Chinese and Indian imports accounting for over 90% of pharmaceutical ingredients in the United States, deteriorating relations could make it impossible to get the medicines and antibiotics many of us need.
Stocking up many prescription medications can be hard. Doctors generally do not like to prescribe large batches of drugs even if they are shelf-stable for extended periods of time. It is a best practice to ask your doctor if they can prescribe a larger amount. Today, some are sympathetic to concerns about pharmacies running out or becoming inaccessible. Tell them your concerns. It’s worth a shot. The worst they can do is say no.
If your doctor is unwilling to help you stock up on medicines, then Jase Medical is a good alternative. Through telehealth, they can prescribe daily meds or antibiotics that are shipped to your door. As proponents of medical freedom, they empathize with those who want to have enough medical supplies on hand in case things go wrong.
Energy Sources
The vast majority of Americans are locked into the grid. This has proven to be a massive liability when the grid goes down. Unfortunately, there are no inexpensive remedies.
Those living off-grid had to either spend a lot of money or effort (or both) to get their alternative energy sources like solar set up. For those who do not want to go so far, it’s still a best practice to have backup power sources. Diesel generators and portable solar panels are the two most popular, and while they’re not inexpensive they are not out of reach of most Americans who are concerned about being without power for extended periods of time.
Natural gas is another necessity for many, but that’s far more challenging to replace. Having alternatives for heating and cooking that can be powered if gas and electric grids go down is important. Have a backup for items that require power such as manual can openers. If you’re stuck eating canned foods for a while and all you have is an electric opener, you’ll have problems.
Don’t Forget the Protein
When most think about “prepping,” they think about their food supply. More Americans are turning to gardening and homesteading as ways to produce their own food. Others are working with local farmers and ranchers to purchase directly from the sources. This is a good idea whether doomsday comes or not, but it’s particularly important if the food supply chain is broken.
Most grocery stores have about one to two weeks worth of food, as do most American households. Grocers rely heavily on truckers to receive their ongoing shipments. In a crisis, the current process can fail. It behooves Americans for multiple reasons to localize their food purchases as much as possible.
Long-term storage is another popular option. Canned foods, MREs, and freeze dried meals are selling out quickly even as prices rise. But one component that is conspicuously absent in shelf-stable food is high-quality protein. Most survival food companies offer low quality “protein buckets” or cans of meat, but they are often barely edible.
Prepper All-Naturals offers premium cuts of steak that have been cooked sous vide and freeze dried to give them a 25-year shelf life. They offer Ribeye, NY Strip, and Tenderloin among others.
Having buckets of beans and rice is a good start, but keeping a solid supply of high-quality protein isn’t just healthier. It can help a family maintain normalcy through crises.
Prepare Without Fear
With all the challenges we face as Americans today, it can be emotionally draining. Citizens are scared and there’s nothing irrational about their concerns. Being prepared and making lifestyle changes to secure necessities can go a long way toward overcoming the fears that plague us. We should hope and pray for the best but prepare for the worst. And if the worst does come, then knowing we did what we could to be ready for it will help us face those challenges with confidence.