Health care privacy and more (Privacy News, June 21)

Recent privacy news from around the web …

You agreed to what? Doctor check-in software harvests your health data.

Geoffrey A. Fowler on the Washington Post (washingtonpost.com)

Software that thousands of clinics and hospitals across the United States use to check people into appointment harvests the information people provide and uses it to target ads.  How can they do that?   Phreesia, the software company, includes a paragraph authorizing this in the consent form people sign when they’re checking in – and most people don’t bother to read it, so consent to sharing.  It’s a classic example of the way a “notice and consent” approach allows companies to expoit us as long as we don’t say no.  

THE DEVIL IS IN THE DETAILS:  ADPPA Section 204 (A) (page 33)  requires “affirmative express consent” to transfer sensitive data.  Does Phreesia’s consent form language  meet the requirements for “affirmative express consent” in Section 2 (1) (page 2)?

“I hereby authorize my health care provider to release to Phreesia’s check-in system my health information entered during the automated check-in process … to help determine the health-related materials I will receive as part of my use of Phreesia. The health-related materials may include information and advertisements related to treatments and therapies specific to my health status.”

Facebook Is Receiving Sensitive Medical Information from Hospital Websites

Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu on The Markup

Thursday, The Markup’s investigation revealed that 33 of the top 100 hospitals in the US have a “Meta Pixel” on their websites which sends information about people’s medical conditions, prescriptions, and doctor’s appointments to Facebook (aka Meta).   Friday, Bloomberg’s Evan Peng reported a class-action suit in California seeks compensatory and punitive damages for “breach of contract, violation of the federal Electronic Communications Privacy Act and a constitutional claim for invasion of privacy, among other allegations.”  The hospitals involved may have violated HIPAA.   Nadia Bey’s What is Meta Pixel, the code detected on health system websites in NC and beyond?, in the Charlotte Observer, has some local perspectives – and sets it in the context of The Markup’s reporting back in April that information from people who applied for federal student aid had also been sent to Facebook.  

GET INVOLVED: The Markup’s reporting is part of the Facebook Pixel Hunt, a collaboration between Markup journalists and Mozilla resarchers.  If you run Firefox, here’s how you can help!

Updates:

U.S. lawmakers urge Google to fix abortion searches that steer women to ‘fake clinics’

Diane Bartz on Reuters

Last week, the Center for Countering Digital Hate released a study finding that many Google search results for abortion clinics instead returned links to so-called “pregnancy crisis centers” – fake abortion clinics that instead attempt to convince people not to get abortions.  Now, 20 Democratic members of Congress have sent a letter to Google telling them to ensure that searches return accurate information.

If you’re wondering why this is a privacy story, check out  Grace Oldham and Dhruv Mehrotra Facebook and Anti-Abortion Clinics Are Collecting Highly Sensitive Info on Would-Be Patients on Reveal, a joint investigation with The Markup.  These sites are using Meta Pixel to get data about whether a person was considering abortion or looking to get a pregnancy test or emergency contraceptives with the fake pregnancy crisis centers Google sends them to.  

See also: Lawmakers urge Google to fix abortion searches suggesting ‘fake clinics’, Kim Bellware, Washington Post, with more details and a list of the legislators.

TAKE ACTION: Tell Google to stop profiting from anti-abortion disinformation using Center for Countering Digital Hate’s form.

And …

This new Windows 11 privacy feature shows when apps access your microphone, camera or location, Liam Tung, zdnet.com

Privacy Law in South Korea Whiteboard, a one-page summary of outh Korea’s Privacy Law, the Personal Information Protection Act, by Prof. Daniel Solove on teachprivacy.com

S.T.O.P. x RadTech: Reproductive Freedom Under SurveillanceWednesday at 3:00 pm Pacific (6:00 Eastern), featuring Hayley Tsukayama of Electronic Frontier Foundation, focusing on state legislation and Prof. Jolynn Dellinger of Duke Law’s Kenan Institute for Ethics, moderated by S.T.O.P’s Alfred Fox-Cahn.


Image credit: Daquella manera on Flickr via Wikipedia Commons.  licensed under the Creative Commons Attribution 2.0 license.