Telehealth Sites Put Addiction Patient Data at Risk

Leaders at some of the analyzed companies were quick to respond and share their thoughts on privacy, noting they always aim to improve the services offered to such a vulnerable population.

Boulder Care CEO Stephanie Strong says her company is subject to HIPAA and Part Two and “takes patient privacy extremely seriously.” She adds that her company uses digital advertising and web measurement tools “sparingly” (indeed, Boulder Care used fewer of the tools than others in the report) and limits the use of ad tracking software to website visitors and inquiries only, without reporting back to Google or Meta on any actions that could be “indicative of actual treatment.” Patient care is delivered by Boulder’s app, which does not use any tracking software.

Lisa McLaughlin, who was co-CEO of WorkIt Health at the time she provided comment but has since departed the business, says the company “is committed to creating a safe place for our members to receive discreet and accessible virtual care.” A representative for Confidant Health echoes that the company recognizes the importance of privacy in SUD care and will “continue to adhere to HIPAA and similar legislation as well as upholding our own internal protocols which we developed to protect our members.”

Representatives from other companies included in the study did not deny the use of the third parties that researchers identified, but they maintained that this poses no threat to patient privacy and is in keeping with standards across the internet and in the medical space.

Nick Mercadante, founder and CEO of PursueCare, says his company does not collect, store, or forward protected health information from visiting users, and that patients don’t receive their care directly on the PursueCare site. He also said PursueCare does not share protected health information (PHI) with third parties, though it does “utilize Facebook Pixel and Google Analytics for internal reporting purposes.”

“It is a reality that users of most websites on the internet today are subject to collection of user data,” Mercadante says. “Health-care-related websites, including those of health systems, hospitals, inpatient care facilities, and other brick-and-mortar care facilities, are no different.”

Pear Therapeutics, responsible for reSET-O, notes it doesn’t share PHI without patient consent, does not use any digital footprints to identify user identities, and reports data “on an aggregated and de-identified basis.” Experts remain concerned by the collection of the data in the first place, de-identified or not, but acknowledge that what’s happening here isn’t illegal and is likely to continue for that reason. Danielle Tarino, who formerly led the health IT team at SAMHSA and now works in cybersecurity, has spent a considerable chunk of her career investigating the privacy implications of mHealth, especially for people with substance use disorders. She believes the best shot at protecting privacy will come from the creation and implementation of additional tools.

“This is how small tech businesses work, and absent anyone telling you that you’re not allowed to do that, you’re allowed to do that,” she says, questioning whether the sites’ use of ad trackers and outside software boils down to finances. Clark, too, expresses concerns that the use of data collection is financially motivated and, for the right price, could be sold or leased to law enforcement or other parties. “When there’s monetary incentives, people make the changes. When there are no monetary incentives, they don’t,” he says. In short, data privacy experts don’t anticipate that mHealth companies will stop collecting data unless forced.