Privacy Report 2 -- Websites for Opioid Addiction Treatment and Recovery Services: Data Sharing and Privacy Risks
Addiction treatment and recovery services are increasingly delivered online and through mobile apps. The websites for these services handle multiple functions, including: to screen and enroll patients; to receive patient referrals from providers; to provide a telehealth platform; a destination for online advertising; to inform potential patients and providers about the services offered; or to direct potential patients to install the mobile app. Current and prospective patients, as well as providers, interact with these services’ websites in order to learn more or to access help. Virtual care platforms for addiction treatment and recovery services are commonly presented and perceived as being more private than in-person treatment.
Privacy is an essential component of addiction treatment and recovery due to the various risks associated with disclosing drug use, and due to persistent stigma and discrimination against people with substance use disorders. Concerns about confidentiality frequently rank among individuals’ most common reasons for not accessing substance use disorder treatment.[1] Many addiction treatment providers follow strict federal confidentiality requirements,[2] and many recovery support services and harm reduction services operate on the central premise of anonymity. Privacy rights are inherently bound with individuals’ right to bodily autonomy and self-determination – issues which are currently in the spotlight following the Supreme Court’s Dobbs decision and the wave of state laws criminalizing abortion. The privacy features of these virtual care platforms’ websites, however, are not well studied.[3]
Using the publicly available Blacklight tool developed at The Markup,[4] we analyzed the websites of 12 virtual care platforms for opioid use disorder (OUD) that provide treatment or recovery services (hereinafter referred to as “OUD mHealth websites") at four timepoints over 16 months. We assessed various data collection practices, including the use of ad trackers, third-party session cookies, session recording, key logging, Meta (Facebook) Pixel, and Google Analytics. These 12 websites averaged 57,000 website visits each in June 2022, and their respective companies have received a combined $795 million in public and venture capital funding.
[1] See, e.g., Substance Abuse and Mental Health Services Administration, Key Substance Use and Mental Health
Indicators in the United States: Results from the 2020 National Survey on Drug Use and Health, A-58 (Oct. 2021),
available at https://www.samhsa.gov/data/data-we-collect/nsduh-national-survey-drug-use-and-health.
[2] 42 USC § 290dd-2; 42 CFR Part 2.
[3] Our previous study analyzed the privacy issues with 10 apps for opioid use disorder treatment and recovery services; see Report 1: Privacy and Security of Digital Opioid Addiction Treatment and Recovery Apps in the Google Play Store.
[4] “The Markup is a nonprofit newsroom that investigates how powerful institutions are using technology to change our society.” About Us, The Markup, https://themarkup.org/about (last visited Aug. 17, 2022).