The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) have revealed the names of 130 hospitals and telehealth companies that were issued warnings regarding potential violations of federal data privacy and security regulations.
These warnings were due to their use of online tracking tools, such as the Meta/Facebook pixel and Google Analytics, which were found to pose risks to patient privacy by potentially disclosing sensitive health information to third parties.
Among the recipients of the warning letters are prominent healthcare organizations like Johns Hopkins Hospital and New York-Presbyterian Hospital, as well as telehealth providers including Apostrophe and Hone Health.
This disclosure represents a significant step in addressing the ongoing tension between patient privacy concerns and commercial interests linked to individually identifiable health data. Regulatory attorney Paul Hales underscored the rapid expansion of this issue, highlighting the absence of a clear resolution.
The warning letters issued by the agencies emphasize the potential impermissible disclosure of consumers’ sensitive health information, encompassing details such as health conditions, diagnoses, medications, treatments, and more.
Notably, some healthcare systems, such as New York-Presbyterian and Advocate Aurora, have previously reported substantial health data breaches associated with their use of web trackers. Advocate Aurora recently reached a preliminary settlement of $12.25 million related to its web tracker breach.
The public disclosure of the recipients’ names and copies of the warning letters represents an unusual move by the FTC and HHS, serving as a stern message to organizations that they must closely monitor and prevent the unauthorized sharing of health information with third parties through tracking technologies.
Regulatory attorney Rachel Rose sees this development as an opportunity for entities to rectify their practices, as both agencies aim to facilitate compliance. Given the content of the letters, agency website publications, and previous guidance, it is anticipated that HHS OCR will soon take enforcement actions related to web tracker violations.
The FTC has already taken enforcement actions against telehealth providers, underscoring the urgency of addressing online tracking issues within the healthcare sector.
