Hello, Health Tech readers. It’s Tuesday.

👀 Situational awareness: Join Erin on Thursday with leaders from Cityblock and Carbon Health to talk all things primary care, equity and the current digital health dealmaking forecast. Register here.

1 big thing: STAT probe uncovers health data sharing concerns

Illustration: Gabriella Turrisi/Axios

Dozens of telehealth companies shared sensitive medical data with social media companies, including Meta, Google and TikTok, a joint investigation by science and health website STAT and The Markup has found.

Driving the news: The analysis, published today, looked at 50 direct-to-consumer virtual care companies and found that the websites shared health information collected during intake and ordering forms with Big Tech companies, Erin writes.

  • Those startups include weight management startup Calibrate, addiction treatment business Workit, hybrid care company Thirty Madison and many others.

Yes, but: Although the investigation has worrying implications for nearly anyone who has visited or considered using a virtual care company for treatment, STAT and The Markup also said they “could not independently confirm how or whether Meta and the other tech companies used the data they collected.”

Details: Pieces of code called pixels were used to send delicate responses about behavior including self-harm, drug and alcohol use, and personal information — including first name, email address, and phone number — to Big Tech companies, per the investigation.

How it works: The Meta Pixel sends data to Facebook by way of scripts running in a user’s browser, according to a previous investigation by The Markup about Facebook receiving sensitive medical information from hospital websites.

  • “Each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household,” that story reads.

Meanwhile, trackers from Google and Microsoft (which runs Bing) on other telehealth sites notified those companies that users’ email addresses were entered on “enrollment confirmation” URLs, per the latest investigation.

What they’re saying: Academics and former regulators told STAT and The Markup that the data sharing “threatens patient privacy and trust and could run afoul of unfair business practices laws.”

  • “I thought I was at this point hard to shock,” said Ari Friedman, a University of Pennsylvania emergency medicine physician who studies digital health privacy. “And I find this particularly shocking.”
  • “The very reason why people pursue some of these services online is that they’re seeking privacy,” said David Grande, another UPenn digital health privacy researcher.

The bottom line: Though Workit promised privacy via “HIPAA-compliant software,” many apps and solutions that track potentially sensitive health data aren’t subject to HIPAA regulation.

Source: https://news.google.com/__i/rss/rd/articles/CBMiZWh0dHBzOi8vd3d3LmF4aW9zLmNvbS9wcm8vaGVhbHRoLXRlY2gtZGVhbHMvbmV3c2xldHRlcnMvMjAyMi8xMi8xMy9oZWFsdGgtdGVjaC12aXJ0dWFsLXJlYWxpdHktbWVyZ2Vy0gEA?oc=5