ECRI officials say they are “deeply disturbed” by reports that nearly 99% of hospitals in the United States have third-party tracking on their websites that transfers sensitive health data to technology and social media companies, advertising firms, and data brokers. 

“Besides the severe violation of privacy, ECRI is concerned this data will allow nefarious, bad actors to target vulnerable people living with severe health conditions with advertisements for non-evidence-based snake oil ‘treatments’ that cost money and do nothing—or worse, cause injury or death,” says Marcus Schabacker, MD, PhD, president and CEO of ECRI. 

ECRI advises hospitals to stop this practice immediately by removing third=party tracking from their websites and, along with advertisers, take responsibility or be held liable for any harm that can be traced back to a data sharing arrangement. In partnership with their chief information security officers, hospitals should alert patients who had their private health data compromised and warn them about potential risks. 

“In cases where a clear violation has been committed, legal action may be warranted,” says Schabacker. “This discovery underscores the need to update health technology and information regulations, including the Health Insurance Portability and Accountability Act (HIPAA), which do not address many questionable practices that have developed since their enactment.”