Schedule a Call

Breach of Data Or Breach of Trust? Hospitals Need to Be More Careful With Patient Data

Ariel Sasson


People are supposed to trust that hospitals and medical professionals – those tasked with promoting their health and wellbeing – are looking out for their best interest. But that trust becomes difficult to maintain when studies reveal that a staggering 33% of top American hospitals and telehealth organizations have shared their patients’ personal medical information with third parties like Meta and Google. 

By now, most of us understand the dangers and harms caused by a data breach: identity theft, financial fraud, invasive targeting, manipulative advertising, relentless spamming, and exploitation of personal details for profit. But the stakes are even higher when it comes to medical data breaches – information about a person’s health conditions, diagnoses, medications, treatments, frequency of visits to healthcare professionals, where an individual seeks medical treatment, and more.

The impermissible disclosure of medical records and other types of health information can expose a person to an even wider range of harms, including stigma, mental anguish, and other serious negative consequences to their reputation, health, and physical safety. The fallout from a medical data breach extends far beyond the digital realm, impacting an individual’s fundamental sense of security, autonomy, and well-being. 

33% of top US hospitals share medical data with Facebook

In June 2022, The Markup published the results of an investigation, which found 33% of the top 100 hospitals in America are sending their patient data to Facebook. 

According to the investigation, the hospitals were using third party tracking tools such as Google Analytics, Meta Pixel and others to track the activity of visitors to their sites. The tracking tools were then using the information on the activity of visitors on their site for profit, including sending targeted ads. While many of these organizations may have robust compliance processes in place, that does not equal compliance. These policies most definitely help organizations stay in line with the law; however, they do not ensure this. Organizations must go above and beyond “tick box” processes to ensure their patients’ data is kept safe and they are operating in a legal and ethical manner.  

Around a year after the investigation was published, 130 hospitals and telehealth providers across the US received a cautionary letter from the FTC and US Department of Health and Human Services Office for Civil Rights. The letter alerted recipients that they may be in violation of the Health Insurance Portability and Accountability Act  (HIPAA) – that their use of online tracking technologies may impermissibly disclose patients’ sensitive private health information to third parties. Penalties here can range from $137 per violation to $68,928, depending on the level of culpability.

In a statement,  Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said the following: “companies need to exercise extreme caution when using online tracking technologies and we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation. When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties.”

With this letter, regulators are sending a clear message to the medical community that violations of this sort are rampant, and are going to be a major focus for them. It indicates, and serves as a warning that they will be doubling down on hospitals and telehealth providers that are in violation of laws related to online tracking.

Detecting HIPAA Violations At-Scale

HIPAA violations span a wide range, including the mishandling of medical records; using unencrypted technology to share protected health information (PHI); failing to safeguard devices that may be stolen, or getting proper authorization to share records. 

There have been several recent notable HIPAA violations, including a $7.8 million settlement against BetterHealth; a $1.5 million settlement against GoodRx; a $1.3 million settlement against LA Care Health Plan; and a $1.25 million settlement against Banner Health. In addition a class action lawsuit has been filed against 23andMe as a result of a hacker gaining access to 6.9 million users’ genetic information. According to the HIPAA Journal’s Healthcare Data Breach Report (May 2023), more than 19 million individuals have had their health information exposed or impermissibly disclosed. 

And these are just the violations people know about – those which are detected by a victim, a lawyer, or the FTC and are then successfully brought through the justice system. Too often, however, these violations remain undetected. Patients do not know their private information has been exposed, and the hospitals are unaware their negligent and noncompliant practices have led to a breach.

The FTC and plaintiff-side law firms are left to take on the position of investigator, spending countless hours and resources monitoring the field to detect a potential violation or exposure. That’s not a very effective way to enforce compliance, though. Especially because a digital violation requires deep technical expertise, something that lawyers do not necessarily have.

Fighting for justice with artificial intelligence (AI)

One of the biggest issues with these violations is that while millions of Americans’ medical data is being shared, most people are unaware. And because the public does not even know this is happening, they can’t do much about it.

Attorneys face a daunting challenge when trying to identify these violations. The complexity of healthcare data and the sheer volume of patient records can make it incredibly time-consuming and challenging to sift through the information. Without the right tools and resources, it can be an arduous task for plaintiff’s attorneys to build a strong case and protect the rights of their clients.

With AI tools like Darrow, detecting these types of violations can finally be done at the scale required to ensure wide scale enforcement. While every major corporation has a designated counsel that is actively looking out for their best interest at all times, the average person does not have a legal team in their corner.

Darrow envisions a world where people can trust that every legal violation is swiftly discovered, precisely valued, and efficiently resolved. We’re helping to level the playing field – not just for plaintiff-side firms in terms of the data available to them, but for victims themselves. Darrow proactively searches for violations, monitoring global events and acting in the public’s best interest so attorney’s can stop spending their time looking for cases, and spend more time fighting for their clients.

Ariel Sasson is an Attorney and a Legal Data Team Lead at Darrow, responsible for gathering and interpreting complex factual data for legal investigations.