A new study shows how websites and apps gather people’s sensitive health-related information, sometimes without consent, and channel it to the social media giant to generate business.


Digital health companies are funneling sensitive data that patients have shared with them to Facebook to help target advertisements, according to a new study from research group the Light Collective. In some cases this sharing is running afoul of the companies’ own privacy policies and raising concerns about HIPAA violations.

The peer-reviewed study, published Monday in Patterns, a data science journal, examines the way data from individuals’ health-related activity online is tracked across websites or platforms and then used for advertising purposes on Facebook. The researchers studied the online activities of 10 participants active in the online cancer community who had used digital health tools from five different companies: Color Genomics, Myriad Genetics, Invitae, Health Union and Ciitizen. They found that third-party ad trackers used by those companies followed the patients online and marketed to them based on those activities. Three of the companies went against their own privacy policies in the process.

The authors said that after disclosing their findings to the five companies, only Ciitizen and Invitae responded, saying they were investigating the privacy issues with the tracking tools. None of the five companies had responded to requests for comment from Forbes at the time of publication.

Dale Hogan, a spokesperson for Facebook's parent, Meta, said that these companies should not be sharing personal health information with the social media platform in the first place because that violates Meta's rules. "Advertisers should not send sensitive information about people through our Business Tools as doing so is against our policies," he wrote in an emailed statement. "We educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

“Health privacy is a basic requirement in digital medicine for reducing the abuse of power and supporting patient autonomy.”

Andrea Downing, cofounder of the Light Collective, which is focused on privacy issues in the online world, said “data gathering and predictive algorithms that are used for advertising and other purposes are one of the biggest threats to online patient communities.” It puts them at greater risk of discrimination and online scams, the authors wrote, adding that tracking software can make cancer-patient populations in particular more vulnerable to medical misinformation and privacy breaches.

Despite the small scale of the study, it is indicative of larger data-sharing trends across digital health and social media. An investigation published earlier this summer by The Markup, for example, revealed how hospital websites use trackers to gather and share sensitive patient information with Facebook for marketing, in possible violation of the Health Insurance Portability and Accountability Act, or HIPAA.

Lengthy, ambiguous privacy policies for these apps often leave users unclear on how their data will be collected, shared and used. Some platforms also engage in risky data practices without individuals’ consent. The new research, co-authored by Eric Perakslis, chief science and digital officer at the Duke Clinical Research Institute, is intended to raise awareness around both.

“Health privacy is a basic requirement in digital medicine for reducing the abuse of power and supporting patient autonomy,” the authors write.

“While the digital medicine ecosystem relies on social media to recruit and build their businesses” through ads and marketing, they add, “these practices sometimes contradict their own stated privacy policies and promises to users.”