12 Online Drugstores Caught Sharing Personal Health Data with Facebook

Via The Defender

An investigation by The Markup and KFF Health News found trackers collecting browsing- and purchase-related data on websites of 12 of the U.S.’ biggest drugstores and sharing the sensitive information with companies like Meta (formerly Facebook), Google and Microsoft.

Looking for an at-home HIV test on CVS’ website is not as private an experience as one might think. An investigation by The Markup and KFF Health News found trackers on CVS.com telling some of the biggest social media and advertising platforms the products customers viewed.

And CVS is not the only pharmacy sharing this kind of sensitive data.

We found trackers collecting browsing- and purchase-related data on websites of 12 of the U.S.’ biggest drugstores, including grocery store chains with pharmacies, and sharing the sensitive information with companies like Meta (formerly Facebook); Google, through its advertising and analytics products; and Microsoft, through its search engine, Bing.

The tracking tools, popularly called “pixels,” collect information while a website runs. That information is often sent to social media firms and used to target ads, either to you personally or to groups of people that resemble you in demographics or habits.

In previous investigations, The Markup found pixels transmitting information from the U.S. Department of Education, prominent hospitals, telehealth startups, and major tax preparation companies.

Pharmacy retailer websites’ pixels send a shopper’s IP address — a sort of mailing address for a person’s computer or household internet — to social media giants and other firms.

They also send cookies, a way of storing information in a user’s browser that in this case helps track a user from page to page as the user browses a retailer’s site. Cookies can sometimes also associate individuals on a site with their account on a social media platform.

In addition to the IP address and cookies, the pixels often send information about what you’ve clicked or bought, including sensitive items, such as HIV tests.

“HIV testing is the gateway to HIV prevention and treatment services,” said Oni Blackstock, the founder of Health Justice and a former assistant commissioner for the New York City Bureau of HIV/AIDS Prevention and Control, in an interview.

“People living with HIV should have control over whether someone knows their status,” she said.

Many retailers shared other detailed interaction data with advertising platforms as well. Ten of the retailers we examined alerted at least one tech platform when shoppers clicked “add to cart” as they shopped for retail goods, a capacious category that included sensitive products like prenatal vitamins, pregnancy tests and Plan B emergency contraception.

Supermarket giant Kroger, for instance, informed Meta, Bing, Twitter, Snapchat and Pinterest when a shopper added Plan B to the cart, and informed Google and Nextdoor, a social media platform on which people from the same neighborhood gather in forums, that a shopper had visited the page for the item.

Walmart informed Google’s advertising service when a shopper browsed the page of an HIV test, and Pinterest when that shopper added it to the cart.

12 drugstore websites had trackers

A previous investigation from The Markup found that Kroger used loyalty cards to track, analyze and sell an array of data about customers to advertisers.

Using Chrome DevTools, a tool built into Google’s Chrome browser, The Markup and KFF Health News visited the websites of 12 of the U.S.’ biggest drugstores and examined their network traffic. This monitoring tool allowed us to see what information about shopping habits and, in some cases, prescriptions, were sent to third parties.

Over the course of the investigation, retailers frequently changed their trackers — sometimes activating them, sometimes removing them. Some retailers appeared to be taking steps to limit the tracking of sensitive items.

For example, Walgreens’ website prevented some trackers from activating on the pages of some products, which included Plan B and HIV tests. This code didn’t prevent all tracking, though: Walgreens’ site continued sending Pinterest information about those sensitive items a user added to the cart.

Walgreens shared a new policy after learning of The Markup and KFF Health News’ findings.

Spokesperson Fraser Engerman said that while the chain already had a “robust privacy program,” it would no longer share browsing data related to reproductive health and HIV testing.

Engerman also told us that “Pinterest confirmed that the data will be deleted and that it has not been used for advertising purposes.”

Crystal Espinosa, a spokesperson for Pinterest, said the company “can confirm that we will be deleting the data Walgreens requested.”

The pharmacy vs. the pharmacy aisle

In the U.S., drugstores and grocery stores with associated pharmacies are only partially covered by the Health Insurance Portability and Accountability Act, or HIPAA. The prescriptions picked up from the pharmacy counter do have this protection.

But in a separate section, sometimes confusingly called the pharmacy aisle, stores also often sell over-the-counter medications, tests and other health-related products.

Consumers might think such purchases have similar protections to their prescriptions, but HIPAA only covers the pharmacy counter’s clinical operations, such as dispensing prescriptions and answering patients’ questions about medication.

This distinction can be confusing enough inside the brick-and-mortar location of a retailer. But the line can become even harder to make out on a website, which lacks the clarifying delineations of physical space.

What’s more, descriptions of what will happen with retail data are generally in retailers’ privacy policies, which can usually be found in a link at the bottom of their web pages.

The Markup and KFF Health News found them murky at best, and none of them were specific about the parts of the site that were covered by HIPAA and the parts that weren’t.

READ MORE HERE