Researchers from the University of Pennsylvania have found that third-party tracking is present on 98.6% of hospital websites, which may lead to potential privacy risks for patients and legal liability for hospitals.

“Hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed visitors to higher levels of tracking in adjusted analyses,” according to the study published in Health Affairs. “By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties.”

The third-party tracking includes transfers to large technology companies, social media companies, advertising firms, and data brokers.

Marcus Schabacker, MD, PhD, president and CEO of ECRI, says in response to the study: “Besides the severe violation of privacy, ECRI is concerned this data will allow nefarious, bad actors to target vulnerable people living with severe health conditions with advertisements for non-evidence-based snake oil ‘treatments’ that cost money and do nothing—or worse, cause injury or death.”

The study’s researchers determined the presence of potentially privacy-compromising data transfers to third parties on a census of U.S. nonfederal acute care hospital websites. The researchers used descriptive statistics and regression analyses to determine the hospital characteristics associated with a greater number of third-party data transfers. 

“Hospitals must stop this practice immediately by removing third party tracking from their websites and, along with advertisers, take responsibility or be held liable for any harm that can be traced back to a data sharing arrangement,” adds Schabacker. “In partnership with their chief information security officers, hospitals should alert patients who had their private health data compromised and warn them about potential risks. In cases where a clear violation has been committed, legal action may be warranted.”