In a video shared with The Washington Post, Lockdown founder Johnny Lin visited the Planned Parenthood website, opened the provider search, input a Zip code and selected “surgical abortion” as a service. As he clicked through the process, a development tool let him see how data such as his IP address was being shared with Google, Facebook and many other third-party companies. Only the companies would know for sure how they use our data, but any data sitting on servers is vulnerable to potential cyberattacks or government subpoenas. In a criminal abortion case, an IP address would be pertinent, because with the help of internet service providers, law enforcement can trace IP addresses back to individuals.
“Let’s be clear: No scheduling or protected health information (PHI) has been breached,” said Diana Contreras, chief health-care officer for Planned Parenthood Federation of America in the statement to The Washington Post. “Out of an abundance of caution, Planned Parenthood will suspend marketing pixels on webpages related to abortion search, and will be engaging with Meta/Facebook and other technology companies about how their policies can better protect people seeking abortion care.”
You scheduled an abortion. Planned Parenthood’s website could tell Facebook.
Planned Parenthood also said that it has a separate tool for scheduling and confirming appointments that it says is compliant with HIPAA (The Health Insurance Portability and Accountability Act of 1996, which protects sensitive health information on patients) and free from marketing trackers. It doesn’t consider the information shared with Google and others to be “scheduling” information, and Contreras added that “it is unconscionable, especially at a time of chaos and confusion in the wake of the Supreme Court decision to overturn Roe v. Wade, to spread misinformation and elevate bad actors who are intimidating and dissuading people from seeking abortion and other sexual and reproductive health services.”
Planned Parenthood’s statement comes as President Biden prepares a letter to the Federal Trade Commission asking it to expand protections for people seeking abortion information or services, including banning unfair or deceptive data sharing practices, according to a report from Bloomberg.
Amid fears and questions about how much information health-care providers and digital data collectors could share about people seeking abortions if state governments asked for it, the U.S. Department of Health and Human Services issued new guidance on how to protect your health information when using an internet-connected device.
It also released a reminder that HIPAA-covered entities can share protected health information only in narrow circumstances governed by HIPAA’s Privacy Rule — for example, the Privacy Rule “permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes,” the notice reads. But HIPAA doesn’t cover much of the digital data we share surrounding our health concerns, such as our internet searches or the data Planned Parenthood was sending to third parties.