photo of thirty madison website

Thirty Madison Data Privacy Investigation

The Lyon Firm is investigating Thirty Madison telehealth websites for potential data tracking technology, and health privacy violations.

According to a recent investigation published on The Markup website, popular telehealth websites, including those operated by Thirty Madison have allegedly been using data tracking tools, and sharing users’ medical and personal information to Facebook and other big tech companies.

This private information on telehealth websites (Cove, Facet, Nurx, Picnic, Keeps) might be shared with tech companies with the use of tracking code and without user consent.

The Markup reported that 49 direct-to-consumer telehealth companies had a third-party tracking code on their site, with the potential to share data with third parties. The study follows another privacy report that revealed many healthcare systems in the U.S. using tracking code on their web portals.

In many cases, user answers to medical questionnaires regarding health conditions, medical histories, and drug use were sent to big tech firms. Dozens of the telehealth websites shared email addresses, phone numbers, and full names.

Collected information from some websites are sent to Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, and Pinterest, possibly for the future use in targeted advertising.

Thirty Madison operates the following websites:

  • Keeps: treatment for men’s hair loss
  • Cove: treatment for migraine
  • Nurx: treatment for sexual and reproductive health
  • Picnic: treatment for allergies
  • Facet: treatment for skin disorders

In response to the investigation, a spokesperson from Thirty Madison released this statement:

“Maintaining patient trust is critical to Thirty Madison. We have launched an internal review into the referenced third party tracking tools.”

Can I Sue Thirty Madison for HIPAA Violations?

The Lyon Firm is still investigating whether any data collection process was unlawful. Remote healthcare providers are HIPAA-covered entities and disclosures of protected health information are therefore restricted by the HIPAA Privacy Rule. The HHS’ Office for Civil Rights has confirmed that the use of third-party tracking code on health websites violates HIPAA if that tracking code collects and transfers protected health information (PHI) to third parties unless the third party qualifies as a business associate.

But, sometimes telehealth websites are not actually bound by HIPAA rules, but more often the information collected through these websites is passed on to HIPAA-covered entities. In a scramble to protect themselves, some have begun removing tracking technology from their websites to review the legality of their business.

Some healthcare systems have added these tracking technologies to their websites to improve the user experience, while others may be benefiting financially.

The question is more about transparency, as many users are unaware that information they provide directly through answers on web forms and medical questionnaires can be shared with other companies.

It is also unclear to consumers how the big tech companies use the transferred data, though there are some obvious theories. Meta has been named a defendant in several privacy lawsuits, some of which allege health data has been used to serve targeted advertising.

Experts have said new regulation is needed because the current privacy regulations like HIPAA were not made for telehealth companies like Thirty Madison, leaving huge gaps in the law.

If you have reason to believe your personal information has been compromised by Cove, Facet, Nurx, Picnic, Keeps or another telehealth website, contact the Lyon Firm to discuss your personal privacy and potential legal action.