By Darius Tahir and Simon Fondrie-Teitler, The Markup
Looking for an at-home HIV test on CVS’ website is not as private an experience as one might think. An investigation by The Markup and KFF Health News found trackers on CVS.com telling some of the biggest social media and advertising platforms the products customers viewed.
And CVS is not the only pharmacy sharing this kind of sensitive data.
We found trackers collecting browsing- and purchase-related data on websites of 12 of the U.S.’ biggest drugstores, including grocery store chains with pharmacies, and sharing the sensitive information with companies like Meta (formerly Facebook); Google, through its advertising and analytics products; and Microsoft, through its search engine, Bing.
The tracking tools, popularly called “pixels,” collect information while a website runs. That information is often sent to social media firms and used to target ads, either to you personally or to groups of people that resemble you in demographics or habits. In previous investigations, The Markup found pixels transmitting information from the Department of Education, prominent hospitals, telehealth startups, and major tax preparation companies.
Pharmacy retailer websites’ pixels send a shopper’s IP address — a sort of mailing address for a person’s computer or household internet — to social media giants and other firms. They also send cookies, a way of storing information in a user’s browser that in this case helps track a user from page to page as the user browses a retailer’s site. Cookies can sometimes also associate individuals on a site with their account on a social media platform. In addition to the IP address and cookies, the pixels often send information about what you’ve clicked or bought, including sensitive items, such as HIV tests.
“HIV testing is the gateway to HIV prevention and treatment services,” said Oni Blackstock, the founder of Health Justice and a former assistant commissioner for the New York City Bureau of HIV/AIDS Prevention and Control, in an interview.
“People living with HIV should have control over whether someone knows their status,” she said.
Many retailers shared other detailed interaction data with advertising platforms as well. Ten of the retailers we examined alerted at least one tech platform when shoppers clicked “add to cart” as they shopped for retail goods, a capacious category that included sensitive products like prenatal vitamins, pregnancy tests, and Plan B emergency contraception.
Supermarket giant Kroger, for instance, informed Meta, Bing, Twitter, Snapchat, and Pinterest when a shopper added Plan B to the cart, and informed Google and Nextdoor, a social media platform on which people from the same neighborhood gather in forums, that a shopper had visited the page for the item. Walmart informed Google’s advertising service when a shopper browsed the page of an HIV test, and Pinterest when that shopper added it to the cart.
A previous investigation from The Markup found that Kroger used loyalty cards to track, analyze, and sell an array of data about customers to advertisers.
Using Chrome DevTools, a tool built into Google’s Chrome browser, The Markup and KFF Health News visited the websites of 12 of the U.S.’ biggest drugstores and examined their network traffic. This monitoring tool allowed us to see what information about shopping habits and, in some cases, prescriptions, were sent to third parties.
Over the course of the investigation, retailers frequently changed their trackers — sometimes activating them, sometimes removing them. Some retailers appeared to be taking steps to limit tracking on sensitive items.
For example, Walgreens’ website prevented some trackers from activating on the pages of some products, which included Plan B and HIV tests. This code didn’t prevent all tracking, though: Walgreens’ site continued sending Pinterest information about those sensitive items a user added to the cart.
Walgreens shared a new policy after learning of The Markup and KFF Health News’ findings. Spokesperson Fraser Engerman said that while the chain already had a “robust privacy program,” it would no longer share browsing data related to reproductive health and HIV testing. Engerman also told us that “Pinterest confirmed that the data will be deleted and that it has not been used for advertising purposes.” Crystal Espinosa, a spokesperson for Pinterest, said the company “can confirm that we will be deleting the data Walgreens requested.”
The Pharmacy vs. the Pharmacy Aisle
In the U.S., drugstores and grocery stores with associated pharmacies are only partially covered by the Health Insurance Portability and Accountability Act, or HIPAA. The prescriptions picked up from the pharmacy counter do have this protection.
But in a separate section, sometimes confusingly called the pharmacy aisle, stores also often sell over-the-counter medications, tests, and other health-related products. Consumers might think such purchases have similar protections to their prescriptions, but HIPAA only covers the pharmacy counter’s clinical operations, such as dispensing prescriptions and answering patients’ questions about medication.
This distinction can be confusing enough inside the brick-and-mortar location of a retailer. But the line can become even harder to make out on a website, which lacks the clarifying delineations of physical space.
What’s more, descriptions about what will happen with retail data are generally in retailers' privacy policies, which can usually be found in a link at the bottom of their webpages. The Markup and KFF Health News found them murky at best, and none of them were specific about the parts of the site that were covered by HIPAA and the parts that weren’t.
In the “Privacy Notice for California Residents” part of its privacy policy, Kroger says it processes “personal information collected and analyzed concerning a consumer’s health.” But, the policy continues, the company does not “sell or share” that information. Other information is sold: According to the policy, in the last 12 months, the company sold or shared “protected classification characteristics” to outside entities like data brokers.
Kroger spokesperson Erin Rolfes said the company strives to be transparent and that, “in many cases, we have provided more information to our customers in our privacy notices than our peers.”
Brokering of general retail data is widespread. Our investigation found, though, that some websites shared sensitive clinical data with third parties even when that information would be protected at a HIPAA-covered pharmacy counter. Users attempting to schedule a vaccine appointment at Rite Aid, for example, must answer a survey first to gauge eligibility.
This investigation found that Rite Aid has sent Facebook responses to questions such as:
Do you have a neurological disorder such as seizures or other disorders that affect the brain or have had a disorder that resulted from a vaccine?
Do you have cancer, leukemia, AIDS, or any other immune system problem?
Are you pregnant or could you become pregnant in the next three months?
The Markup and KFF Health News documented Rite Aid sharing this data with Facebook in December 2022. In February of this year, a proposed class-action lawsuit based on similar findings was filed against the drugstore chain in California, alleging code on Rite Aid’s website sent Facebook the time of an appointment and an identifier for the appointment location, demographic information, and answers to questions about vaccination history and health conditions. Rite Aid has moved to dismiss the suit.
After the lawsuit was filed, The Markup and KFF Health News tested Rite Aid’s website again, and it was no longer sending answers to vaccination questions to Facebook.
Rite Aid isn’t the only company that sent answers to eligibility questionnaires to social media firms. Supermarkets Albertsons, Acme, and Safeway, which are owned by the same parent company, also sent answers to questions in their vaccination intake form — albeit in a format that requires cross-referencing the questionnaire’s source code to reveal the meaning of the data.
Using the Firefox web browser’s Network Monitor tool, and with the help of a patient with an active prescription at Rite Aid, KFF Health News and The Markup also found Rite Aid sending the names of patients’ specific prescriptions to Facebook. Rite Aid kept sharing prescription names even after the company stopped sharing answers to vaccination questions in response to the proposed class action (which did not mention the sharing of prescription information). Rite Aid did not respond to requests for comment, and as of June 23, the pixel was still present and sending the names of prescriptions to Facebook.
Other companies shared data about medications from other parts of their sites. Customers of Sam’s Club and Costco, for example, can search names of prescriptions on each retailer’s website to find the local pharmacy with the cheapest prices. But the two websites also sent the name of the medication the user searched for, along with the user’s IP address, to social media companies.
Many of the retailers The Markup and KFF Health News looked at did not respond to questions or declined to comment, including Costco and Sam’s Club. Albertsons said the company “continually” evaluates its privacy practices. CVS said it was compliant with “applicable laws.”
Kroger’s Rolfes wrote that the company’s “trackers disclose product information, which is not sensitive health information unless one or more inferences are made. Kroger does not make any inferences linking the product information collected or disclosed by trackers to an individual’s health condition.”
A Huge Regulatory Challenge
Pharmacies are just one facet of a huge health care sector. But the industry as a whole has been roiled by disclosures of tracking pixels picking up sensitive clinical data.
After an investigation by The Markup in June 2022 found widespread use of trackers on hospital websites, regulatory and legal attention has homed in on the practice.
In December, the Department of Health and Human Services’ Office for Civil Rights published guidance advising health providers and insurers how pixel trackers’ use can be consistent with HIPAA. “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures” of protected health information to tracking technology or other third-party vendors, according to the official bulletin. If implemented, the guidance would provide a path for the agency to regulate hospitals and other providers and fine those who don’t follow it. In an interview with an industry publication in late April, the director of the Office for Civil Rights said it would be bringing its first enforcement action for pixel use “hopefully soon.”
Lobbying groups are seeking to confine any regulatory fallout: The American Hospital Association, for example, sent a letter on May 22 to the Office for Civil Rights asking that the agency “suspend or amend” its guidance. The office, it claimed, was seeking to protect too much data.
This year the Federal Trade Commission has pursued action against companies like GoodRx, which offers prescription price comparisons, and BetterHelp, which offers online therapy, for alleged misuse of data from questionnaires and searches. The companies settled with the agency.
Health care providers have disclosed to the federal government the potential leakage of nearly 10 million patients’ data to various advertising partners, according to a review by The Markup and KFF Health News of breach notification letters and the Office for Civil Rights’ online database of breaches. That figure could be a low estimate: A new study in the journal Health Affairs found that, as of 2021, almost 99 percent of hospital websites contained tracking technologies.
One prominent law firm, BakerHostetler, is defending hospitals in 26 legal actions related to the use of tracking technologies, lawyer Paul Karlsgodt, a partner at the firm, said during a webinar this year. “We’ve seen an absolute eruption of cases,” he said.
Abortion- and pregnancy-related data is particularly sensitive and driving regulatory scrutiny. In the same webinar, Lynn Sessions, also with BakerHostetler, said the California attorney general’s office had made specific investigative requests to one of the firm’s clients about whether the client was sharing reproductive health data.
It’s unclear whether big tech companies have much interest in helping secure health data. Sessions said BakerHostetler had been trying to get Google and Meta to sign so-called business associate agreements. These agreements would bring the companies under the HIPAA regulatory umbrella, at least when handling data on behalf of hospital clients. “Both of them, at least at this juncture, have not been accommodating in doing that,” Sessions said. Google Analytics’ help page for HIPAA instructs customers to “refrain from using Google Analytics in any way that may create obligations under HIPAA for Google.”
Meta says it has tools that attempt to prevent the transfer of sensitive information like health data. In a November 2022 letter to Sen. Mark Warner (D-Va.) obtained by KFF Health News and The Markup, Meta wrote that “the filtering mechanism is designed to prevent that data from being ingested into our ads.” What’s more, the letter noted, the social media giant reaches out to companies transferring potentially sensitive data and asks them to “evaluate their implementation.”
“I remain concerned the company is too passive in allowing individual developers to determine what is considered sensitive health data that should remain private,” Warner told The Markup and KFF Health News.
Meta’s claims in its letter to Warner have been repeatedly questioned. In 2020, the company itself acknowledged to New York state regulators that the filtering system was “not yet operating with complete accuracy.”
To test the filtering system, Sven Carlsson and Sascha Granberg, reporters for SR Ekot in Sweden, set up a dummy pharmacy website in Swedish, which sent fake, but plausible, health data to Facebook to see whether the company’s filtering systems worked as stated. “We weren’t warned” by Facebook, Carlsson said in an interview with KFF Health News and The Markup.
Carlsson and Granberg’s work also found European pharmacies engaged in activities similar to what The Markup and KFF Health News have found. The reporters caught a Swedish state-owned pharmacy sending data to Facebook. And a recent investigation with The Guardian found the U.K.-based pharmacy chain LloydsPharmacy was sending sensitive data — including information about symptoms — to TikTok and Facebook.
In response to questions from KFF Health News and The Markup, Meta spokesperson Emil Vazquez said, “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies and we educate advertisers on properly setting up Business Tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Meta did not respond to questions about whether it considered any of the information KFF Health News and The Markup found retailers sending to be “sensitive information,” whether any was actually filtered by the system, or whether Meta could provide metrics demonstrating the current accuracy of the system.
In response to our inquiries, Twitter sent a poop emoji, while TikTok and Pinterest said they had policies instructing advertisers not to pass on sensitive information. LinkedIn and Nextdoor did not respond.
Google spokesperson Jackie Berté said the company’s policies “prohibit businesses from using sensitive health information to target and serve ads” and that it worked to prevent such information from being used in advertising, using a “combination of algorithmic and human review” to remedy violations of its policy.
KFF Health News and The Markup presented Google with screenshots of its pixel sending the search company our browsing information when we landed on the retailers’ pages where we could purchase an HIV test and prenatal vitamins, and data showing when we added an HIV test to the cart. In response, Berté said the company had “not uncovered any evidence that the businesses in the screenshots are violating our policies.”
(PB/KFF)