Privacy, Governance, Risk and Compliance, Compliance Management

Cedars-Sinai, Cerebral, telehealth companies among latest accused of data sharing with Meta

Senators are demanding more transparency from hospital systems and telehealth vendors over their data sharing practices with Meta, building on a number of civil lawsuits from patients and other stakeholders seeking to force hospitals to halt intrusive data collection practices. (Photo Credit: “Emergency room” by KOMUnews is licensed und...

Two recent actions add to the deluge of allegations against Meta, Google, and other private companies around their overly-aggressive data sharing practices.

Senators sent inquiries to Cerebral and two other telehealth vendors after reports found their health apps were sharing data with Google and Facebook. Meanwhile, a lawsuit filed against Cedars-Sinai accuses the Los Angeles health system of sharing its data with Facebook, Meta, Google, Microsoft Bing, and other marketing and social media platforms or businesses.

Letters sent by Sens. Maria Cantwell, D-Wash., Amy Klobuchar, D-Minn., Susan Collins, R-Maine, and Cynthia Lummis, R-Wyo., to Cerebral, Monument, and Workit Health accuse the telehealth providers of tracking and sharing patient data.

Cerebral is a mental health subscription that provides therapy and other remote services, Monument is an online alcohol counseling and treatment provider, and Workit is a telemedicine provider of opioid and alcohol treatment. Data shows that the platforms treated a combined 250,000 patients in 2021.

The websites for all three sites assert that all entered data is 100% confidential, secure, and compliant with The Health Insurance Portability and Accountability Act.

The news follows an inquiry into Meta launched by Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla after reports found that “significant amounts of sensitive user data” was available for access to “hundreds of thousands of developers” classified as “high-risk jurisdictions,” like China and Russia.

Combined with over a dozen lawsuits filed against Facebook and health companies over alleged hospital data scraping via Pixel, there’s been a notable uptick in efforts to better shield consumer data from the questionable privacy practices of telehealth providers.

Telehealth vendors accused of tracking, sharing patient data

The senators say their inquiries stem from a December Stat report that showed leading telehealth companies routinely engage in third-party data sharing for advertising purposes, without patient consent and despite promises to patients that their data will remain confidential.

The letters are identical in their allegations and requests for information, centered on the “tracking and sharing [of] sensitive and personally-identifiable health data with third-party social media and online search platforms such as Google and Facebook that monetize this data to target advertisements.”

These health platforms gather “extremely personal” data that can target these individuals with “unnecessary or potentially harmful physically, psychologically, or emotionally” advertisements, the legislators wrote.

The drastic expansion of telehealth in the last few years has supported care access in underserved and rural communities, but “access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems.”

The letter asks the companies to provide answers on the complete list of questions users are asked on their platforms, a list of the third parties that are sent user data, the types of information shared, and whether the apps have sent data that could be used to identify an individual.

In the wake of the Roe. v. Wade upheaval, Congress has ramped up efforts to ensure tech companies are no longer collecting or storing location information, as well as other health identifiers that could lead to harmful outcomes for women.

The senators are seeking commitments to provide more transparent confidentiality notices to patients and their plans to protect patients from being identified using the data shared with third parties.

Lawsuit claims Cedars-Sinai shared patient data without consent

The missives from lawmakers underscore how the issue is increasingly drawing congressional focus and follows a raft of legal challenges from patients and other stakeholders that seek to halt the intrusive data collecting practices of hospitals and healthcare vendors. A lawsuit filed late last week in the Superior Court of California and Los Angeles County against Cedars-Sinai mirrors previous legal actions filed in the wake of 2022 reports that showed Pixel implementations scraped patient data from hospital websites.

However, unlike the lawsuits filed against Advocate Aurora and other health systems, the case levied against Cedars-Sinai is not based on a breach notice. There’s no posting on the health system’s website, nor on the Department of Health and Human Services breach reporting tool.

Instead, the allegations are being brought by a patient known only as “John Doe,” based on claims that “Cedars-Sinai chose to include the Pixel on its website.” The language used in the lawsuit bears similarities to the 2022 reports.

“When a patient entered the following information, the information would simultaneously be shared with Meta: The types of medical treatment the patient sought; The name, gender, language, and specialty of the physician(s) that the patient specified when seeking treatment,” and other highly sensitive information tied to hospital visits, according to court documents.

“The Pixel code enables Meta not only to help Cedars-Sinai with advertising to its own patients outside the Cedars-Sinai website, but also to include individual patients among groups targeted by other advertisers relating to the conditions about which patients communicated on the Cedars-Sinai’s Website,” the lawsuit continues.

The lawsuit further claims that due to the use of Pixel and Facebook’s embedded code, “secret instructions” are sent back to a user’s browser without notifying the patient, which “causes the browser to secretly duplicate the communication with Cedars-Sinai” before it’s transmitted back to Facebook’s servers with other highly sensitive information about the user.

This information is allegedly collected by Meta and processed with its core and “lookalike” audiences. The medical information pulled together with the user’s profile can be “easily linked to the individual.”

The patient behind the lawsuit claims he was targeted with highly specific ads as a result of these practices, including marketing schemes about his chronic illness.

Cedars-Sinai is accused of violating a host of state laws, including violations of the California Invasion of Privacy Act, the privacy rights protected by California’s Constitution, breaches of implied contract, California’s Confidentiality of Medical Information Act, California’s Unfair Competition Law, and other tortious acts.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.