I have a regular prescription I have gotten refilled at Kaiser Permanente for years. I use their online site and get my meds mailed to me.
It may have been 2 years ago or so, but the process stopped working and wouldn't accept my confirmation after giving my credit card info. I've got a handful of privacy tools on my browser. I finally gave in and temporarily white listed the pharmacy and still cleared out any trackers. Sent the web admin a basic, "WTF, folks?" and got a BS non answer.
Fast forward to maybe November or December last year. Refill time, and the trackers were even worse. I kind of need my meds though. So I created a new account on my computer, and ordered my meds.
Then I filed a complaint of a possible HIPAA violation, starting at https://www.hhs.gov/hipaa/filing-a-complaint/index.html and was polite, factual, and provided some non hysterical examples of how a prescription could indicate a specific health issue with resulting advertising or PII release to parties not needing it.
I received an email at the end of February. I was probably not the only person that sent a complaint, but the end result is that KP is being investigated.
I went through a similar gauntlet with kaiser as well.
This was years ago, but I complained that kaiser had trackers throughout its website for doubleclick and googletagmanager. (nowadays they don't use those domains and go directly to google.com, I assume because people don't block that)
I complained.
To be clear, the tracking links traverse the entire website - communication with your doctor, test results, prescriptions, even the complaint form I filed out.
I got the same sort of non-answers. I pushed and pushed and finally, I did get an answer - "the website is a convenience".
I blocked the trackers, and pretty soon to continue to use the website, I had to agree to the privacy policy.
I didn't agree. I stopped using the website.
But they wouldn't let me delete my account. (I think california law allows you to ask.) I called multiple times. I still have an account and get emails from them.
I do wonder whether it's possible to inject harmless stubs for these trackers so you don't have to deal with the bureaucracy of filing a complaint though. Then again, stubbing helps a few techy people, filing a formal complaint helps everyone.
Didn't expect something relevant to what I do to show up on HN. This has been a hot button issue for the last two years ever since the Markup did a report on hospitals sharing data with Facebook[0]. Since then the government has explicitly called this out as a problem[1] and a number of hospitals and related companies are dealing with fines and lawsuits[2][3][4]
Given the government is actually enforcing the law for once, this is one of the few times I've seen people take regulation like this seriously.
The title of the original article is a little misleading. It's _website_ visitor tracking and it looks like it's really just advertising analytics... That's maybe bad but it's also the same as like... 98% of all other websites.
That's really pretty much everything, google knows you may think you have breast cancer -- email, gender, age, visit pages, etc. Certain sites and information classes/types are not just like the rest of 98%.
The title is totally misleading. It very much implies that hospitals are giving data about visitors to the hospital, which would be incredibly egregious.
Tracking website visitors is bad, but is something I 100% expect. If others aren't expecting this, that's a serious problem. People should absolutely be warned when it happens (or, better, laws should exist to prevent it from happening).
But web visitor tracking is not nearly as sensitive as tracking visitors to the hospitals (or any other health care provider premises) themselves.
I avoid the data leakage for sensitive things like health care by never using websites related to those things. I know that people often forget this, but at least in the US, using a website to interact with health care providers is not actually mandatory.
> I avoid the data leakage for sensitive things like health care by never using websites related to those things. I know that people often forget this, but at least in the US, using a website to interact with health care providers is not actually mandatory.
It is not mandatory but is made extremely onerous. I can get on the web site, authenticate while tracked, enter my request, or I can call an automated maze, get repeatedly dropped, talked to a ChatGPT knock-off, get dropped again, and maybe I get a human to answer my request. Then, I get an email asking if I am satisified with the service.
Interesting. I have to admit, I've never had a problem talking to doctor's offices or the hospitals in my area by phone. No onerous phone trees (just a simple initial menu), no voice robots, and usually only a short wait to talk to a human.
I need to stop complaining about my hospital. Apparently, this is one area where they're above the grade. But even if my phone experience was like yours, I'd still use the phone instead of the web site due to privacy concerns.
In the end, as with all privacy/security issues, there's an inherent tradeoff between convenience and security. Everyone has a different place on that spectrum where they're most comfortable. But at least we can choose how much of a tradeoff we're willing to engage in.
Imagine you stated online that you don't like the fact that your Uber ride data is being sold to Facebook. Then imagine someone said, "If you don't like theZuck or Googs knowing where whereabouts and who you are visiting, just walk when you need to go somewhere." Hopefully you'll realize why you are being down-voted.
Just because you think it is okay to continue to feed the beast is not my issue. I can spare the -4 points to engage the discussion.
I also don't use Uber because I don't support their history even if they might no longer behave that way now. You don't have to walk just because you don't use Uber. There are other ways to get around. The fact that you feel this way just means to me that you've drunk too much of the Kool-aid.
Society has become lazy/complacent with the status quo, and does not want to put forth the effort to fight for the rights that they so freely complain about on web forums. Yes, things can be more convenient if you are willing to accept the true costs. Things can be more difficult when you choose to not accept the true costs. Just because they are more difficult does not mean it is impossible.
Your reply is not only a non sequitur, the claims you make about me are factually wrong. I have never had a facebook account, nor instagram, nor twitter, and I've never taken an uber. But you claim I've overdosed on the kool-aid.
My point was you are very cavalier about how easy it is for people avoid what is structurally difficult to avoid. For instance, rather than going to the website to look up information, one should go to the hospital and ask someone in person.
You should also have some empathy for people who have no idea that a hospital might sell their information.
About 98% of hospitals has committed some form of medical malpractice. The major problem is when people start accepting this as acceptable behavior. There are multiple places where sharing information with advertisers should be greatly restricted, including hospital, lawyers, priests and so on. Government institutions like police emergency information centers should also avoid sharing data with advertisers, especially if that information get transported over the border.
Yes, people do bad decisions all the time. Hospitals are not perfect and mistakes happens. They should however not continue doing mistakes that harms patients.
How many of these websites remember to completely disable analytics on the sensitive logged-in portions of the site? Completely disable doesn’t mean “an intern once logged in to the analytics provider’s config page and asked them to, pretty please, not log certain pages, and no one ever re-checks that config.” The analytics script should straight-up not be present on the sensitive URLs.
(Frankly, the script should not be present at all on the sensitive origin. Ever heard of fetch or service workers or any other same-origin mechanism of collecting data?)
I’ve worked with the marketing folks for a large hospital and it is my strong belief that they haven’t considered the implications of sharing this data.
Legislation is in order to define what analytics companies cannot do with data from healthcare sites.
I’m not sure if there are other categories which ought to be protected, but healthcare is certainly one.
Even in a fully public, NHS-like system, they do. Come to X hospital, no need to go to [big city] for your [surgery] when you can have it here - well, if they don't do this, people will go to the [big city], and if it goes on long enough, the NHS-like system will cut their funding and possibly reassign surgical specialists away due to lack of activity. That leaves the smaller city with less access to healthcare, even if it's free to the user at the point of service.
[EDIT: my karma is now 667. Would someone please remove their upvote just for a bit? A screenshot of "devilbunny (666)" from HN would be a great little digital memento.]
While outcomes will be better, each interaction will be more painful. Taking your parent to an appointment need not take a full day, but if it is two hours’ travel each way….
Thanks, but two other people found something else I wrote worthy in the meantime. Urgh. I mean, I could lose points easily, the hard part is only losing one or two, not forty. Um, emacs and vi are both pretty useful editors and there's really no big difference when you get used to one of them? I mostly like pico for editing?
[karma whirring up and down could power a small city]
I believe that this comment is unintentionally the reason healthcare is broken in America.
America is capitalist and federalist. That means either hospitals are for profit entities, non-profit entities or government owned entities.
Ducks quack, for profit entities attempt to grow profits, non-profit entities attempt to grow donors and government entities attempt to keep the things way they were yesterday.
As a society, we can pick which models we allow and in which allocation, but we can't ask a duck to be a swan - each option has positives and negatives.
When we ask for the positives without the negatives, then complain when the inevitable negatives come, is the fault with the model or with our expectations?
The better way is to iterate and grapple with the rewards in the system and where transparency should be forced or legislated. Change the incentives and you'll change the behavior. Unfortunately, you will also encounter new and unexpected negative effects...see: ducks quack.
Privatizing and moving to for-profit hospitals has been a boon for PE. All this attention on patient outcomes is just slowing down the inevitable transition. /s
Legislation is in order to define what analytics companies cannot do with data from ANY site.
While the TFA might be about hospitals specifically, your suggestion that we need regulation should not be focused on just healthcare/HIPPA type situations. These data hoarders need to be reigned in if not just eliminated.
> is mostly related to website information, not PHI or PII
If you are looking for an oncologist or abortions or whatever else, that's PHI. We know well that the industry has profiles on Americans and probably can identify you.
Exactly! If hospital systems are selling this, who is buying it? Health insurance companies. Then they can judge if they should still cover you or raise your rates.
Yes, and many other organizations also want this information. Your detailed profile is valuable, and my impression is that health info is particularly valuable.
> if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care
So either I'm closer to paranoid delusional or you're closer to being naive if you don't think that the people receiving this information cannot infer this data from your browsing session.
Are they sharing search terms, type of doctors selected, symptom checking info which is common on these websites? Especially if all data can be use to uniquely identify this is pretty problematic.
If you've used google analytics, you know that a lot of this would be implicitly shared. like the top comment, I think hospitals just aren't thinking about how disastrous this is.
Facebook widgets definitely attempt to track this sort of information. Anything that goes in the URL bar is trivial to grab, but pretty much anything typed on a page is also snaggable.
Once your data is inside the hospital it can still be widely shared, though subject to regulation. I was part of two research efforts called SHARPS and THaW that studied trust, privacy, and security in medical systems:
One research group analyzed how patient data is shared inside medical systems and found that in some cases as many 300 different entities had access to your data. The billing companies, consultants, out of network clinicians, staff, testing companies, supply companies, IT management companies, outside expert consultations, insurance companies, medical device companies, data analysis companies, and many more. In some cases it was unclear if the data was further shared with subcontractors and other third parties.
The sad part is that even if none of these hospitals used such widgets, Chrome or Edge are sharing most of the same information with Google and Microsoft anyway.
I think the term "data broker" is getting slightly abused. Using Google Analytics or a Facebook pixel is almost mandatory for understanding how your site is used. Especially if you don't have a super sophisticated marketing team who can be more bespoke about it. They also mention tools like Hotjar which is usually used for those little popup surveys. Companies that share data with brokers usually do it via backend processes that would not be visible from a network inspector.
Knowing you visited a hospital at a certain time and date would be health data, right? Are they just sharing like, email addresses in a big list, or are they giving metadata about when people show up?
> Regulated entities may also have unauthenticated webpages, which are webpages that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity like their location, visiting hours, employment opportunities, or their policies and procedures. Tracking technologies on many unauthenticated webpages do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors. Regulated entities are required to “[e]nsure the confidentiality, integrity, and availability of all electronic PHI the [regulated entity] creates, receives, maintains, or transmits.” Thus, regulated entities that are considering the use of online tracking technologies should consider whether any PHI will be transmitted to a tracking technology vendor, and take appropriate steps consistent with the HIPAA Rules.
Which doctors you go to and what types of specialities you search for can tell a lot about a person. Oh, did they search for mental health clinics? Or dialysis treatment? Or abortion providers? Or gender reassignment surgery? Or vasectomy providers? Depending on where the widgets are placed, they might could tell when your appointments are or what messages you send to your doctor through their clinic's website.
That greatly depends on implementation. I’ve been implementing Google Ads, Analytics, and Tag Manager for a medical practice recently. Google’s official stance is that PHI is categorically prohibited to send to Ads/Analytics services, but it’s very easy for a marketing firm to unwittingly do.
Thankfully I’m working with a conscientious marketing firm and our client is diligent and well meaning, so it’s easy to avoid the pitfalls, but naively following many integration walkthroughs could have you sending entire form content to Google (or others). I’m sure that’s one of the reason Google explicitly says “don’t put us on your EMR pages” (paraphrased).
I didn't imply ads at all - google analytics has quite extensive info about the patient, the 'user', as is. The visited sites/subsections and stuff would be quite revealing.
Just using the same massive aggregator as your metrics provider is where it gets wrong.
That’s true! Our client is a small practice in pediatrics so we don’t face the same challenges as say, the Mayo Clinic would, in trying to avoid profiling based on indirect information.
Most people aren’t going to be browsing the Betty Ford clinic for fun. They’re looking for something specific. That’s juicy for analytics. I’m glad I don’t have to deal with that challenge.
(Conversion matching quality isn’t a fun challenge either. We’ve landed at “the practice will have to do that themselves to avoid the privacy obstacles”.)
Writing this as a citizen of the country, what the fuck is wrong with the United States? Why is the continued debasement of its citizens something that they put up with?
If you’re in tech, you can first look to your industry coworkers clearing $500k tc at the companies building and maintaining these products.
Not to far from being a cigarette salesmen at Philip Morris in 1980 these days, just like when the data was coming out on how toxic the product was, PM was hiring scientists to put out competing public studies and threatening funding of university research that countered them (Meta is doing this currently…), on and on.
Keep working there and ignore the growing research and civil impact like this article? Or..
It may have been 2 years ago or so, but the process stopped working and wouldn't accept my confirmation after giving my credit card info. I've got a handful of privacy tools on my browser. I finally gave in and temporarily white listed the pharmacy and still cleared out any trackers. Sent the web admin a basic, "WTF, folks?" and got a BS non answer.
Fast forward to maybe November or December last year. Refill time, and the trackers were even worse. I kind of need my meds though. So I created a new account on my computer, and ordered my meds.
Then I filed a complaint of a possible HIPAA violation, starting at https://www.hhs.gov/hipaa/filing-a-complaint/index.html and was polite, factual, and provided some non hysterical examples of how a prescription could indicate a specific health issue with resulting advertising or PII release to parties not needing it.
I received an email at the end of February. I was probably not the only person that sent a complaint, but the end result is that KP is being investigated.
Yay.