Analysis of Addiction Treatment mHealth Sites Highlights Data Privacy Risks

November 23, 2022 - An analysis of a dozen opioid use disorder (OUD) treatment and recovery websites revealed significant data privacy concerns and a need for stronger legal protections for addiction treatment data, a report by the Opioid Policy Institute and the Legal Action Center suggested.

The two organizations teamed up to analyze the websites of 12 virtual care platforms that provide OUD treatment or recovery services using the publicly available “Blacklight” tool, described as a “real-time website privacy inspector”, developed by The Markup.

Over the 16-month observation period, researchers observed the use of third-party session cookies, key logging, Meta Pixel and Google Analytics use, and the presence of ad trackers. The research was unable to determine whether or what information was actually collected or how it was being used. However, the websites were consistently using tools with the capability to collect sensitive information.

According to the report, all 12 websites used ad trackers capable of identifying people who visited the sites, and 11 of the 12 sites used third-party cookies, which could identify people who visited the sites and track them across other websites. Half of the websites used Meta Pixel at some point during the observation period.

As previously reported, Meta is now facing multiple lawsuits after its pixel was found on hundreds of hospital websites and password-protected patient portals. The organizations that reported breaches stemming from the use of the pixel had initially implemented the tool to measure visitor preferences and trends, later discovering that the pixel may have been sending sensitive information back to Meta.

It is important to note that the use of these trackers and cookies is not illegal. Rather, the ambiguity surrounding how they are used and what data they may be collecting raises some privacy concerns.

The few companies that responded to the researchers’ request for comment largely said that they use these tracking tools to monitor website usage and do not send protected health information to third parties.

Findings Show Need For Greater Online Privacy Protections

Confidentiality has always been a key component of addiction treatment and recovery services, largely due to ongoing stigma, discrimination, and legal risks. Narcotics Anonymous and overdose prevention sites “all operate on the foundational premise of anonymity.”

What’s more, “[m]any of the OUD mHealth websites marketed themselves as ‘private,’ ‘secure,’ or ‘100% confidential,’” the report noted.

HIPAA and other privacy laws also protect addiction treatment data specifically. Even so, researchers suggested that privacy legislation has not kept pace with the recent uptick in telehealth use, spurred by the pandemic.

“More information is also needed about whether and how these OUD mHealth websites and their services comply with existing federal health privacy laws,” the report stated.

The Opioid Policy Institute and the Legal Action Center researchers suggested that legislators consider taking additional steps to safeguard addiction treatment data.

“Individuals seeking support for addiction or recovery-related services deserve the same standards of confidentiality, privacy, and security regardless of whether they are seeking services online or in person,” the report continued. “And they deserve transparency about those standards.”