Lisa McLaughlin, who was co-CEO of WorkIt Health at the time she provided comment but has since departed the business, says the company “is committed to creating a safe place for our members to receive discreet and accessible virtual care.” A representative for Confidant Health echoes that the company recognizes the importance of privacy in SUD care and will “continue to adhere to HIPAA and similar legislation as well as upholding our own internal protocols which we developed to protect our members.”
Representatives from other companies included in the study did not deny the use of the third parties that researchers identified, but they maintained that this poses no threat to patient privacy and is in keeping with standards across the internet and in the medical space.
Nick Mercadante, founder and CEO of PursueCare, says his company does not collect, store, or forward protected health information from visiting users, and that patients don’t receive their care directly on the PursueCare site. He also said PursueCare does not share protected health information (PHI) with third parties, though it does “utilize Facebook Pixel and Google Analytics for internal reporting purposes.”
“It is a reality that users of most websites on the internet today are subject to collection of user data,” Mercadante says. “Health-care-related websites, including those of health systems, hospitals, inpatient care facilities, and other brick-and-mortar care facilities, are no different.”
Pear Therapeutics, responsible for reSET-O, notes it doesn’t share PHI without patient consent, does not use any digital footprints to identify user identities, and reports data “on an aggregated and de-identified basis.”
Experts remain concerned by the collection of the data in the first place, de-identified or not, but acknowledge that what’s happening here isn’t illegal and is likely to continue for that reason. Danielle Tarino, who formerly led the health IT team at SAMHSA and now works in cybersecurity, has spent a considerable chunk of her career investigating the privacy implications of mHealth, especially for people with substance use disorders. She believes the best shot at protecting privacy will come from the creation and implementation of additional tools.
“This is how small tech businesses work, and absent anyone telling you that you’re not allowed to do that, you’re allowed to do that,” she says, questioning whether the sites’ use of ad trackers and outside software boils down to finances. Clark, too, expresses concerns that the use of data collection is financially motivated and, for the right price, could be sold or leased to law enforcement or other parties. “When there’s monetary incentives, people make the changes. When there are no monetary incentives, they don’t,” he says. In short, data privacy experts don’t anticipate that mHealth companies will stop collecting data unless forced.
The opinions of cybersecurity professionals and telehealth company CEOs are relevant, but perhaps most important are the opinions of individuals with substance abuse disorders, the people who stand to lose the most if experts’ fears are realized and for whom Part 2 was designed. After being shown the data from the analysis, one patient who utilizes brick-and-mortar health care providers said via direct message, “Thank you for reaffirming why I don’t use telehealth.” He added that he wasn’t sure the findings would stop anyone from using telehealth if that were the only way they could get treatment. Those patients would simply have to trust their providers act in their best interest.
Another patient who uses one of the companies analyzed by the OPI and LAC was alarmed by the findings.“They should [be required to] have a service that prevents them from being able to track anything like that,” he says.
“How much is my information worth?” he asks, questioning whether data from his and other patients’ website use was more valuable than the few hundred dollars they generate each month as patients. “It’s so scary. This is the first time in my life I’m not on probation in 10 years. Now, I’m not. Thinking that someone could really just look at that … Who knows what’s going to happen?”
Update 10:15 am EST, 11-18-22: WorkIt Health says that Lisa McLaughlin left the company between the time she provided comment and publication. We’ve updated the piece to reflect that she is no longer WorkIt Health’s co-CEO.