This article was originally published by The Defender — Children’s Health Defense’s News & Views Website.
Google, Microsoft, Facebook, TikTok and the majority of medical and healthcare websites illegally harvest and sell private health information despite a federal crackdown on the practice, according to a new cybersecurity report.
The report, by Toronto-based cybersecurity firm Feroot Security, analyzed hundreds of healthcare websites and found that more than 86% are collecting private data and transferring it to advertisers, marketers and Big Tech social media companies without user consent and in violation of privacy laws.
As patients or consumers browse their favorite or trusted medical websites or sign in to hospital portals to access their private health records, invisible bits of HTML code — called “tracking pixels” — embedded on the websites harvest private information, such as whether patients have cancer, erectile dysfunction or are behind on their hospital bill.
The information is repackaged and sold for a variety of uses, including to companies that target individual users with internet ads, according to the report.
The risk of having personal data scraped is particularly high on log-in and registration pages where internet users supply troves of information, unaware it is being hijacked and sold. More than 73% of log-in and registration pages have invisible trackers that pirate personal health information, the study found.
Approximately 15% of the tracking pixels analyzed by Feroot record users’ keystrokes, harvesting social security numbers, usernames and passwords, credit card and banking information, and an infinite variety of personal health data, including medical diagnosis and treatment.
The study showed that “Google is the absolute dominant collector” of data. Ninety-two percent of the websites loaded on the Google search engine contained data-harvesting technology across wide sectors of the U.S. economy including healthcare and telehealth, banking and financial services, airlines, e-commerce, and the federal and state governments.
The number two offender was Microsoft with 50.4% of websites on its platform hiding tracking tools, with Facebook next at 50.2% percent and TikTok at 7.41% percent and growing fast.
Google, as the driver of its parent Alphabet, the world’s fourth largest company, is often called “the most powerful company in the world.” It counts on advertising, a lifeblood of the global digital economy, for 80% of its revenue.
Microsoft and Facebook “round up the Top 3” of companies that systematically breach data, the report said. Representatives of Google, Microsoft, and Facebook denied their companies used tracking pixels to harvest personal data.
Website owners are responsible for controlling data collection, a Google spokesperson said. Google policy prohibits Google Analytics and advertising customers, including for example hospital or telehealth websites, from collecting health data in violation of the U.S. Health Insurance Portability and Accountability Act (HIPAA). It’s up to the websites to determine “whether they are HIPAA-regulated entities and what their obligations are under HIPAA,” Google policy says.
Personal health data collected by a tracker or third party without a user’s consent is a violation of HIPAA, said Feroot CEO Ivan Tsarynny.
Big Tech companies “do have policies that talk about protecting health info,” Tsarynny said. But “the real-world application of these policies is a different story.”
Feroot’s study comes as “concern grows regarding data mining companies using pixels/trackers that load into browsers from websites to collect privacy and sensitive user data,” the report stated.
“Compliance regulators and government authorities are increasingly stepping in with bans, restrictions, and executive orders to curb them.”
Eighteen major hospital systems were sued this year for sharing patients’ sensitive health data with Google, Facebook and other tech giants in violation of privacy laws, according to Becker’s Hospital Review.
They include prominent academic medical centers such as the University of Pittsburgh Medical Center, the University of Chicago Medical Center, the University of Iowa Medical Center, Chicago-based Northwestern Memorial Hospital and the University of California San Francisco Medical Center.
Prompted by growing concerns over data theft and the article, “‘Out of Control’: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies,” Feroot launched an investigation “to ascertain the exact magnitude and pervasiveness of social media pixels/trackers collecting and transferring personal, sensitive, and private data using pixels or trackers.”
The security platform Feroot sells to companies “made it possible to get detailed facts regarding active client-side e-skimming,” the company said.
Feroot collected data on pixels/trackers during an eight-week period in January and February.
The company said it examined more than 3,675 organizations with unique websites in seven economic sectors. It studied 108,836 unique web pages, including especially vulnerable login, registration and credit card processing pages, 227 trackers and 7 million data transfers.
Key findings from ‘Beware of Pixels & Trackers’:
- Pixel trackers are “common and abundant” — an average of 13.16 pixels/trackers were found per website, “with Google, Microsoft, Meta (owner of Facebook), ByteDance (owner of TikTok), and Adobe being some of the most common.”
- “Mission-critical” webpages, such as log-in or registration pages, increase the risk of exposing private information. An average of 5.96% of websites had pixels/trackers on webpages reading user input forms containing privacy or sensitive data.
- Pixel trackers transfer data to foreign locations around the globe — “about 5% of the data transferred by pixels/trackers loaded from US-based websites is sent outside the US.”
- Pixel trackers collect and transfer data without first obtaining the explicit consent of visitors.
- Pixels and trackers are loading from domains banned by the U.S. government and various U.S. states and even from some of those same governments, including Russia and China. Data obtained by Russian and Chinese websites is a security risk from surveillance and spying.
- Meta (owner of Facebook and Instagram) and TikTok, owned by Chinese company ByteDance, were “particularly worrisome” for privacy invasion and surveillance risks. Thirty-four U.S. states, both Republican and Democratic-controlled, have banned the use of TikTok on government devices. Montana in May banned the app on all personal devices.
- TikTok is often present whether or not the TikTok app is deleted. TikTok pixels/trackers can still “load into webpages handling mission-critical user data and can collect and transfer it.”
GoodRX case highlights corporate deceit around data-sharing
While corporations face losing profit and reputation from data breaches or fines for causing them, individuals face a potentially catastrophic loss of privacy when major health websites harvest and sell their information, according to the Federal Trade Commission (FTC).
In February, the FTC fined popular discount drug and telehealth site GoodRx for “failing to report its unauthorized disclosure of consumer health data to Facebook, Google, and other companies.”
The action to “bar GoodRx from sharing consumers’ sensitive health information for advertising” was the FTC’s first enforcement action under its Health Breach Notification Rule.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” FTC Bureau of Consumer Protection Director Samuel Levine said in a news release after the settlement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
The FTC enforcement against GoodRx revealed a particularly egregious, yet not uncommon, example of how corporate health and medical websites betray patient trust and manipulate patient data, the FTC said.
According to the FTC’s complaint, GoodRx violated the law by improperly sharing sensitive personal health information since at least 2017, though it promised otherwise.
The company “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” the FTC charged, and deceptively displayed a seal at the bottom of its telehealth services homepage “falsely suggesting to consumers that it complied with … HIPAA.”
In reality, the FTC complaint said, GoodRx “monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram.”
For example, GoodRx in August 2019 made lists of its users “who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles,” according to the complaint.
“GoodRx then used that information to target these users with health-related advertisements.”
People who accessed GoodRx coupons to purchase, for instance, Viagra would see ads for erectile dysfunction medication on their Facebook or Instagram page ads, the FTC says.
“Similarly, people who had used GoodRx’s telehealth services to get treatment for sexually transmitted diseases would get ads for STD testing services.”
GoodRx disclosed to Facebook the medication purchase data it receives from pharmacy benefit managers and also used the data to target ads.
By using Facebook’s ad targeting platform, the FTC said, “GoodRx designed campaigns that targeted customers with ads based on their health information. For example, if a customer had revealed a possible erectile dysfunction issue to GoodRx, they might have seen an ad on Facebook like Exhibit A in the FTC complaint.”
In February, California-based GoodRx, a $2.1 billion company, paid a $1.5 million civil penalty to the FTC to settle the complaint and denied any wrongdoing.
Howard Danzig, founder and president of Employers Committed to Control Health Insurance Costs, said “fining GoodRx just $1.5 million dollars is not even a slap on the wrist. While many employers are so vigilant about respecting the guidelines of the HIPAA privacy laws, large tech companies basically get a pass.”
“How about major penalties for Facebook, Google and any others who were the beneficiaries of this information?” he wrote on his LinkedIn page with almost 9,000 followers.
“How about determining whether or not there were any criminal violations that should be pursued against the individuals who actually collaborated to do this? How about ‘REPARATIONS’ from the companies involved to the people and customers whose privacy was breached?”
The data breach occurred for “advertising purposes,” he noted. “How far afield can this really be taken and how far afield has it been taken?”
This article was originally published by The Defender — Children’s Health Defense’s News & Views Website under Creative Commons license CC BY-NC-ND 4.0. Please consider subscribing to The Defender or donating to Children’s Health Defense.
How to Prepare for Food Emergencies if You Don’t Have a Homestead or Bunker
In an unpredictable world, where supply chain disruptions, natural disasters, or economic instability can strike without warning, having a reliable food supply is more than just smart—it’s essential for survival. Whether you’re a “prepper” or not, we all know the golden rule: self-sufficiency is key. But what if you’re living in an apartment, working long hours, or simply don’t have the land to turn into a thriving homestead? Don’t worry; there’s a practical, effective way to build your food security without needing acres of soil or a fortified bunker.
The Ideal Prep: Building Your Own Food Empire
The ultimate dream for any serious prepper is controlling your own food production. Imagine waking up to a sprawling garden bursting with fresh vegetables, fruits, and herbs—tomatoes ripening on the vine, potatoes ready to harvest, and greens that provide nutrition year-round. Add in livestock like chickens for eggs and meat, and you’ve got a self-sustaining system that keeps your family fed no matter what chaos unfolds outside.
This approach isn’t just about calories; it’s about resilience. A well-maintained garden can yield hundreds of pounds of produce annually, while a small flock of chickens might produce dozens of eggs weekly. It’s empowering, cost-effective in the long run, and teaches invaluable skills like crop rotation, animal husbandry, and preservation techniques. If you have the space, time, and resources, starting small and scaling up is the best path to true independence.
The Reality Check: Not Everyone Can Homestead
But let’s face it—not all of us are in a position to go full homesteader. Urban dwellers might be limited to a balcony or community plot that’s far from sufficient for long-term needs. Busy professionals juggling jobs, families, and daily life often lack the hours required for daily tending. And for those in apartments, condos, or regions with harsh climates, raising livestock or maintaining a large garden simply isn’t feasible. Factors like zoning laws, soil quality, water access, or even physical limitations can make this ideal out of reach.
That’s where the frustration sets in. You want to be prepared, but without a homestead or bunker, how do you ensure your pantry doesn’t run dry during a prolonged crisis? The good news is, you don’t have to sacrifice your preparedness goals. There’s a smart, accessible alternative that bridges the gap: investing in high-quality, long-term storage food.
The Smart Alternative: Long-Term Storage Food from Heaven’s Harvest
Long-term storage food is designed for exactly these scenarios—providing nutrient-dense, shelf-stable meals that last for decades without refrigeration or special conditions. It’s the perfect solution for preppers who can’t rely on fresh production but still demand reliability and variety in their emergency stockpile.
At Heaven’s Harvest, they specialize in premium survival food kits that make preparedness effortless. Their products are crafted with the prepper mindset in mind: non-GMO, made in the USA, and packed with real ingredients that taste like home-cooked meals, not bland rations. Whether you’re stocking up for a short-term blackout or a long-haul SHTF event, our kits offer:
- Extended Shelf Life: Up to 25 years of storage, so you can buy once and forget about rotation worries.
- Nutritional Balance: High-protein entrees, fruits, vegetables, and dairy alternatives to keep your energy up and health intact.
- Ease of Preparation: Just add water, and you’ve got hearty meals like beef stroganoff, chili mac, or cheesy lasagna ready in minutes—no garden weeding required.
- Customizable Options: From individual buckets to family-sized kits, scale your supply to fit your needs and budget.
- Peace of Mind: Sealed in durable, waterproof containers that protect against pests, moisture, and light.
Unlike generic store-bought cans that spoil quickly or lack variety, Heaven’s Harvest focuses on quality and sustainability. Our food is freeze-dried or dehydrated to lock in flavor and nutrients, ensuring you’re not just surviving but thriving. And for those concerned about allergens or dietary preferences, we offer gluten-free and vegetarian options to keep everyone covered.
Why Wait? Secure Your Food Supply Today
Preparing for food emergencies doesn’t require a homestead or bunker—it requires action. By choosing long-term storage food from Heaven’s Harvest, you’re taking control in a way that fits your lifestyle. Start small with a 72-hour kit to test the waters, or go all-in with a year’s supply for ultimate security.
Visit Heaven’s Harvest today and use code “PATRIOT” for an exclusive discount on your order. Don’t let limitations hold you back; build your resilient future, one meal at a time. Your family will thank you when it matters most.