Facebook could be tracking your online Plan B or HIV test purchases

This story was co-reported via Markup Markup as well as KFF Health News.

Finding an at-home HIV test via the CVS site isn’t as private a process as you believe. A study of The Markup and KFF Health News discovered trackers on CVS.com telling some of the most extensive online advertising and social networks what products consumers viewed.

And CVS isn’t the only pharmacy that shares these kinds of sensitive information.

We have found trackers capturing the data of purchases and browsing on the websites from 12 of the U.S.’ biggest drugstores, including grocery chain stores and pharmacies. They also share sensitive data with companies such as Meta (formerly Facebook), Google through its products for advertising and analytics, and Microsoft via its search engine Bing.

The tracking devices, or “pixels,” collect information when a website runs. The information collected is usually transferred to social media companies and is used to tailor advertisements, either directly to you or to groups of people that are similar to your characteristics or demographics. In earlier investigations, The Markup found pixels transmitting data from the Department of Education, prominent hospitals, telehealth startups, and significant tax preparation firms.

The pixels on the websites of pharmacies send the shopper’s IP address — a type of postal address for the computer of a household or internet — to social media giants as well as other companies. Cookies are also sent that are used to store data in a user’s browser that assists in tracking a user’s progress through the pages as the customer browses on a retailer’s site. Cookies are sometimes used to link users on a website with their social media site. Along with the cookies and IP address pixels, they often transmit details about what you’ve done or purchased, such as sensitive things like HIV tests.

“HIV testing is the gateway to HIV prevention and treatment services,” said Oni Blackstock, the co-founder of Health Justice and a former assistant commissioner of the New York City Bureau of HIV/AIDS Prevention and Control, in an interview.

“People living with HIV should have control over whether someone knows their status,” she stated.

Many retailers shared other specific interactions with advertising platforms too. Ten of the stores we looked at alerted at least one technology platform when customers hit “add to cart” as they browsed for goods at retail, including sensitive products, such as pregnancy tests, prenatal vitamins, and Plan B contraceptives for emergencies.

Supermarket giant Kroger For instance, Kroger Supermarket was notified by Meta, Bing, Twitter, Snapchat, and Pinterest when a customer put Plan B in the cart. It also informed Google and Nextdoor, a social media platform where neighbors from the same area meet on forums, that a user was on the site to purchase the item. Walmart also informed Google’s advertising services when a customer visited the site for the HIV test, and also on Pinterest when a shopper added the item to their cart.

A previous investigation by The Markup found that Kroger utilized loyalty programs to analyze, track and market various information about customers to advertisers.

Using Chrome DevTools, a program integrated into the Google Chrome browser, The Markup, and KFF Health News, went to the websites of 12 of the U.S. largest drugstores and then analyzed their traffic on their networks. This tool for monitoring allowed us to determine the extent to which information regarding shoppers’ habits and, in some instances, prescriptions were passed to third-party websites.

In this investigation, retailers often changed their trackers, sometimes activating them and sometimes taking them off the trackers. Some retailers are trying to limit the tracking of sensitive items.

For instance, Walgreens’ website prevented specific trackers from displaying on pages for certain products, including Plan B and HIV tests. However, this continued all tracking: Walgreens’ site sent Pinterest details about the delicate items users added to their shopping cart.

Walgreens announced its new policy following the news of The Markup and KFF Health News’ findings. The spokesperson Fraser Engerman said that while Walgreens already had a “robust privacy program,” it will no longer share the data it collects about reproductive health or HIV testing. Engerman added, “Pinterest confirmed that the data will be deleted and that it has not been used for advertising purposes.” Crystal Espinosa, a spokesperson for Pinterest, confirmed that Pinterest “can confirm that we will be deleting the data Walgreens requested.”

The pharmacy aisle vs. the aisle of pharmacies

Within the U.S., drugstores and grocery stores that have pharmacies are not covered under The Health Insurance Portability and Accountability Act, known as HIPAA. The prescriptions purchased at the counter at pharmacies do enjoy this security.

In a separate area often referred to as”the pharmacy aisle,” shops can also sell prescription medications such as tests, medicines, and other health-related products. People may think that these products are protected similarly to prescriptions. Still, HIPAA does not cover the operations of a pharmacy counter which include prescribing drugs and answering questions regarding medication.

The distinction between the two can be complicated enough within the brick-and-mortar retail store. However, the difference can be more difficult to distinguish on a website that needs the clear definitions that physical locations have.

Furthermore, details regarding what can happen to information from retail stores are typically found within the privacy policies of retailers, which are usually found on their web pages. Markup and KFF Health News needed clarification. Markup, in conjunction with KFF Health News, found them to be ambiguous in the best of circumstances, but neither did they provide specific information on the portions of the site protected by HIPAA as well as the ones that were not.

The “Privacy Notice for California Residents” section of their Privacy Policy Kroger states that it uses “personal information collected and analyzed concerning a consumer’s health.” However, the policy says that Kroger does not “sell or share” that information. Other data is sold: As per the policy, during the last 12 months, Kroger sold or distributed “protected classification characteristics” to external entities such as data brokers.

Kroger spokesperson Erin Rolfes said the company is committed to transparency and that “in many cases, we have provided more information to our customers in our privacy notices than our peers.”

Brokering general retail information is commonplace. However, our research found that certain websites did share sensitive medical data with third parties, even though this information is secured at a pharmacy covered by the HIPAA counter. Anyone who wants to schedule an appointment for vaccination in Rite Aid, for example, has to complete a questionnaire first to determine if they are eligible.

The investigation revealed it was found that Rite Aid has sent Facebook answers to various questions, including:

• Are you suffering from neurological disorders like seizures or other diseases affecting your brain? Or have you experienced a problem due to a vaccine?
• Are you suffering from cancer, leukemia, AIDS, or other health issues affecting your immune system?
• Are you pregnant? Or could you get pregnant within about three months?

The Markup and KFF Health News documented Rite Aid sharing this information with Facebook from December 20, 2022. In February of this year, the proposed class-action suit with similar results was brought against the chain of pharmacies in California with the claim that that the Rite Aid website transmitted to Facebook the date and time of an appointment, an identification code for the location of the work as well as demographic data, as well as answers to questions regarding the health history of the patient and vaccination history. Rite Aid has moved to absolve the suit.

Following the lawsuit’s filing, The Markup and KFF Health News examined Rite Aid’s website again. They discovered that the website did not send answers to questions regarding vaccinations to Facebook.

Rite Aid is one of many companies that have sent responses to questions about eligibility to social media companies. Food stores Albertsons, Acme, and Safeway, which are part of this same company, also provided answers to the questions on their intake forms for vaccinations, but in the form of a cross-reference to the source code of the questionnaire to determine the purpose of the information.

Using The Firefox internet browser’s Network Monitor tool and the help of a person who had an active prescription from Rite Aid, KFF Health News and The Markup also found Rite Aid sharing the names of patients’ particular prescribed medications to Facebook. Rite Aid kept sharing prescription names, even after the company stopped providing answers to vaccination questions due to the proposed class action (which was not a reference to sharing prescription details). Rite Aid did not respond to inquiries for comments on June 23; the pixel was still active and sending prescription names to Facebook.

Other companies have shared data on medicines from different parts of their websites. For instance, customers who shop at Sam’s Club and Costco can search for prescription names on the websites of each retailer to locate the nearest pharmacy with the lowest price. Both websites gave details of the medicine that the user was searching for and the user’s IP address to social media companies.

Most of the retailers The Markup and KFF Health News reviewed didn’t respond to queries or refused to comment, such as Costco and Sam’s Club. Albertsons stated that the company “continually” evaluates its privacy policies. CVS claimed it complies with “applicable laws.”

Kroger’s Rolfes stated his company’s “trackers provide information about products that is not considered to be classified as sensitive health information unless some inferences are drawn. Kroger doesn’t make any inferences connecting the product information gathered or divulged by trackers to the health status of an individual.”

A major regulatory issue

Pharmacies are only one aspect of a vast healthcare industry. However, the sector, in general, has been in the spotlight due to revelations of tracking pixels that have gathered sensitive clinical information.

Following an investigation conducted by The Markup in June 2022 discovered an extensive usage tracking device on hospitals’ websites, legal and regulatory focus has been shifted to the method.

In December, the Department of Health and Human Services Office for Civil Rights released a guideline providing healthcare providers and insurance companies about how pixel trackers are compatible with HIPAA. “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures” of protected health information to tracking technologies or other third-party vendors, as per the announcement. If implemented, the guideline will allow the agency to oversee hospitals and other healthcare providers and penalize those who fail to adhere to them. When speaking to a publication in the industry in April, the Office for Civil Rights director said that the agency would be the first enforcement action regarding pixel usage “hopefully soon.”

Lobbying groups are trying to limit any negative regulatory impact for now. The American Hospital Association, for instance, wrote an email on May 22 to the Office for Civil Rights requesting that the office “suspend or amend” its guidelines. The Office for Civil Rights, it said, sought to safeguard excessive amounts of information.

This year, the Federal Trade Commission has pursued actions against firms such as GoodRx, which compares prescription prices, and BetterHelp, which offers online therapy based on the alleged misuse of data gathered from questionnaires and search results. The two companies settled with the FTC.

Healthcare providers revealed to the Federal government the potential leakage of more than 10 million patient data to different advertising companies as per a study of The Markup and KFF Health News of breach notification letters and breaches reported to the Office for Civil Rights database of violations on the internet. This number may be an underestimate. A study published in Health Affairs found that, in 2021, nearly 100% of hospital websites had tracking technologies.

A well-known legal firm known as BakerHostetler defends hospitals in 26 legal cases that concern using tracking technology and other tracking technologies, the lawyer Paul Karlsgodt, a partner at the firm, told in a webcast earlier this year. “We’ve seen an absolute eruption of cases,” the lawyer stated.

Information related to pregnancy and abortion is susceptible and triggers regulatory attention. On the same panel, Lynn Sessions, also working with BakerHostetler, stated that she was informed that the California Attorney General’s Office requested specific investigations of one of BakerHostetler’s clients regarding whether the client shared information about reproductive health.

It needs to be clarified if big tech companies have any interest in helping secure health information privacy. Sessions stated BakerHostetler tried convincing Google and Meta to sign”business associate” agreements. The agreements would place these businesses under the HIPAA legal umbrella when handling information for hospitals’ clients. “Both of them, at least at this juncture, have not been accommodating in doing that,” Sessions stated. Google Analytics help page on HIPAA requires users to “refrain from using Google Analytics in any way that may create obligations under HIPAA for Google.”

Meta claims it has tools to stop transmitting sensitive information, such as health information. In a November 2022 email to Sen. Mark Warner (D-Va.) obtained from KFF Health News and The Markup, Meta wrote, “The filtering mechanism is designed to prevent that data from being ingested into our ads.” Furthermore, according to the letter, Meta sends a letter to businesses that transfer potentially sensitive information and asks them to “evaluate their implementation.”

“I remain concerned the company is too passive in allowing individual developers to determine what is considered sensitive health data that should remain private,” Warner said to The Markup and KFF Health News.

Meta’s assertions in its letter Warner were repeatedly questioned. In 2020, the firm itself admitted in a letter to New York state regulators that the system for filtering did “not yet operating with complete accuracy.”

To test the system of filtering, Sven Carlsson and Sascha Granberg, reporters from SR Ekot in Sweden, set up a fake site for pharmacies in Swedish that sent phony authentic but plausible health information to Facebook to determine if the filtering system of the company worked in the manner they claimed. “We weren’t warned” by Facebook, Carlsson said in an interview with KFF Health News and The Markup.

Carlsson and Granberg’s work discovered European pharmacies involved in actions similar to those The Markup and KFF Health News have found. The journalists uncovered a Swedish public-owned pharmacy that was sending information via Facebook. Also, a new investigation in conjunction with The Guardian found the U.K.-based pharmacy chain LloydsPharmacy was sending sensitive information, including details about symptoms, to TikTok and Facebook.

In response to queries by KFF Health News and The Markup, Meta spokesperson Emil Vazquez explained, “Advertisers should not send sensitive information to people via Meta’s Business Tools. This is in violation of our policy and we train advertisers on the proper way to set the Business Tools to prevent this from happening. This system was designed by us to block sensitive information that it might be capable of detecting.”

Meta did not reply to questions regarding whether it deemed any of the details KFF Health News and The Markup discovered retailers were sending as “sensitive information,” whether it was filtered through the process, and if Meta could provide metrics to demonstrate the reliability in operation.

Responding to queries, Twitter sent a poop Emoji, and TikTok and Pinterest stated that they had policies that instructed advertisers not to share sensitive information. LinkedIn and Nextdoor didn’t respond.

Google spokesperson Jackie Berte said the company’s policies “prohibit businesses from using sensitive health information to target and serve ads,” and it has worked to stop the use of such information in ads, using a “combination of algorithmic and human review” to address any violations of the policy.

KFF Health News and The Markup provided Google with images of its pixel, which sent the search firm the information we entered when we arrived on the retailer’s pages, which allowed us to buy an HIV test as well as prenatal vitamins, as well as information about that we had purchased the HIV test to our cart. In the response, Berte said the company had “not uncovered any evidence that the businesses in the screenshots are violating our policies.”

KFF Health News uses the Meta Pixel to collect data. Third-party websites use the pixel to gauge their websites’ performance and traffic and display advertisements on social media platforms. KFF Health News collects page usage data from our news partners, who choose to use our pixel tracker whenever they republish their articles. This information will not be shared with third-party websites or social networks, and the individual’s personal information is not tracked or recorded according to KFF’s privacy guidelines. It is important to note that the Markup does not utilize any tracking device for pixels. You can read the entire Privacy Policy here.

The article is co-published by The Markup, A non-profit newsroom that examines how institutions can use technology to alter our lives. Join us for The Markup’s monthly newsletters.

KFF Health News KFF Health News is a national newsroom that produces detailed health-related journalism and is among the main operating programs of KFF. It is an independent source of health research, polling, and journalism. Find out more details about KFF.