96% of US hospital websites share visitor info with Meta, Google, data brokers

New research by academics at the University of Pennsylvania has shed light on a concerning trend: hospitals are engaging in widespread data-sharing practices with tech giants like Google and Meta, as well as other third-party entities.

The study scrutinized 100 non-federal acute care hospitals and found a staggering 96% were transmitting user data to external parties via their websites.

"It's shocking, and really kind of incomprehensible," said Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania, who – along with Matthew McCoy, Angela Wu, Sam Burdyl, Yungjee Kim, Noell Kristen Smith, and Rachel Gonzales – authored the paper.

"People have cared about health privacy for a really, really, really long time. It's very fundamental to human nature. Even if it's information that you would have shared with people, there's still a loss, just an intrinsic loss, when you don't even have control over who you share that information with."

The researchers note that not all the hospital websites had a privacy policy, and of the 71 that did, only 56 disclosed specific third-party companies that could receive user information.

Also, only 69 stated the data they collected which includes IP addresses, web browser name and version, pages visited on the website, and the website from which the user arrived.

Google and Meta were the most featured recipients of this data.

"In every study we've done, in any part of the health system, Google, whose parent company is Alphabet, is on nearly every page, including hospitals," Friedman observed. “Meta was on a little over half of hospital webpages, and the Meta Pixel is notable because it seems to be one of the grabbier entities out there in terms of tracking."

Other prominent entities identified as recipients of the data include Adobe, Oracle, Microsoft, The Trade Desk, Verizon, analytics firms such as Hotjar, and data brokers like Acxiom.

“Two-thirds of hospital websites had some kind of data transfer to a third-party domain that we couldn't even identify," Friedman added, underscoring the expansive network of data exchange.

While hospital websites are not legally obligated to publish comprehensive privacy policies, those that do must ensure compliance with governmental regulations like laying out their processes for deleting personal information upon request.

Failure to uphold privacy standards could invite regulatory scrutiny and potential legal repercussions from bodies such as the Federal Trade Commission.

On whether the hospitals are doing this for financial gain, Friedman notes that most likely the hospitals don’t get any form of compensation from the third parties. He suggested that the reason for this rampant data collection is because we exist in a time when user data is invaluable for the ad market and all current systems are set up to facilitate data harvesting.

Friedman then urges the hospitals to make use of the IT resources around them to create better systems.

"Many hospitals are academic hospitals and have computer science departments that they could collaborate with, and design new tools and startups, which is something universities are good at doing. Build a new web that doesn't involve as much tracking,” he said.

The new report from the University of Pennsylvania builds on a study they published a year ago of 3,747 US non-federal hospital websites. They found that 98.6 percent tracked and transferred visitors' data to large tech and social media companies, advertising firms, and data brokers.