Since the Covid-19 Pandemic, there has been an explosion in telehealth startups founded in Silicon Valley that are reaching multi-billion-dollar valuations based on their ability (and potential) to reach and provide medical treatment services virtually.
While these companies have provided millions of Americans with almost instantaneous access to medical treatment services, many of them also secretly record the sensitive personal information their users provide and sell this data to third parties for use in targeted advertisements.
On December 13, 2022, a joint investigation by STAT News and The Markup found that out of 50 telehealth startups they investigated, 13 had at least one tracker that collected users’ answers to medical intake questions and shared them with either Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest. “Out of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies.
All but one website examined sent URLs users visited on the site and their IP addresses—akin to a mailing address for a computer, which can be used to link information to a specific patient or household—to at least one tech company.
Getting Rich Selling Patient Data
Hims & Hers, one of the largest players in the space, is now a publicly traded company valued at more than $1 billion; competitor Ro has raised $1 billion since its founding in 2017, with investors valuing the company at $7 billion. Thirty Madison, which operates several telehealth companies focused on different medical needs, is valued at more than $1 billion.
These companies are now valued at billions of dollars after mining the personal health information of millions of Americans via invasive medical intake questionnaires and passing those answers on to global advertising platforms which use them to sell targeted ads right back at those users.
If you have used a telehealth startup in the past year and believe your personal health information may have been leaked to third-party advertisers, explore our open cases to see if you are entitled to compensation.
Thirty Madison's With Cove Website
This website offers migraine medications. It prompts visitors to share details about their migraines, past diagnoses, and family history—and during STAT News’ testing sent the answers to Facebook and Google. If a user added a medication to the cart, detailed information about the purchase, including the drug’s name, dose, and price, were also sent to Facebook, along with the user’s hashed full name, email, and phone number.
While hashing obscures those details into a string of letters and numbers, it does not prevent tech platforms from linking them to a specific person’s profile, which Facebook explicitly says it does before discarding the hashed data.
Cerebral
When users visit Cerebral, a mental health company whose prescribing and business practices came under federal investigation this year, they are required to answer a series of “clinically tested questions” that can cover a wide range of conditions, including depression, anxiety, bipolar disorder, and insomnia.
During STAT News’ testing, with every response — such as clicking a button to indicate feeling depressed “more than half the days” over the last two weeks — a pixel sent Facebook the text of the answer button, the specific URL the user was visiting when clicking the button, and the user’s hashed name, email address, phone number.
RexMD
A Meta Tracking Pixel on RexMD, which prescribes erectile dysfunction drugs, collected the name of the medication in our cart, our email, gender, and date of birth.