Study Finds Security Vulnerabilities In Opioid Addiction Treatment Websites

According to a recent analysis from the Opioid Policy Institute (OPI) and Legal Action Center (LAC), several websites used to provide opioid addiction treatment and rehabilitation services have privacy and data sharing vulnerabilities. More and more, services for addiction treatment and recovery are offered online and through mobile applications, with the websites handling various tasks including patient interaction, telehealth visits, patient enrollment and screening, and referral acquisitions.

Websites that handle and transmit patient data concerning opioid addiction treatment must have a comprehensive and durable security system as a result of the stigma associated with drug addiction. One of the most frequent reasons given by individuals for avoiding substance abuse treatment is a concern for confidentiality. While providers are required to ensure patient confidentiality under laws like the Health Insurance Portability and Accountability Act, little research has been conducted on the privacy and security practices of the provider’s websites. To address this, OPI and LAC collaborated on the study and examined the websites of 12 virtual care platforms over the course of 16 months using the Blacklight tool created by The Markup. In June 2022, these websites received approximately 57,000 visits per month on average. Ad trackers, third-party session cookies, session recording, keylogging, and third-party tracking code, including the code snippets produced by Google (Analytics) and Meta (Pixel) were all evaluated using the Blacklight tool. 

Throughout the 16-month observation period, every website was found to have made regular use of these tools with the potential to gather and send sensitive information, and every website had vulnerabilities that threaten patient privacy. Each of the 12 websites employed ad trackers that could identify the users, and 11 of the 12 websites made use of third-party cookies that tracked users activity across the Internet. About half of the websites utilized Metal Pixel tracking code during the course of the 16-month timeframe. By utilizing the Meta Pixel code snippet, websites can analyze visitor behavior to identify preferences and trends that will enhance user experience. However, the Meta code can obtain sensitive data and transmit it to Meta. The code has been found to capture sensitive data from numerous websites without permission. Although Meta follows a policy requiring Meta Pixel users not to disclose sensitive information like healthcare data, it was revealed that several healthcare providers have sent patient data to Meta. In the OPI’s study, four OUD mHealth websites were found to have transmitted personally identifiable information to Meta. 

In addition, Google’s analytical tool was found on 10 of the 12 websites. This is despite the fact Google’s policy does not allow the code to gather protected health information. All 12 websites featured advertising, and all 12 firms supplied some data to ad tech firms that purchase and sell user data for advertising. The researchers report that the usage of trackers on the websites grew overall over the course of the 16 months. These OUD websites often promoted themselves as private, secure, and 100 percent confidential despite the data exchange and privacy issues that were noted on the sites.