Andrea Downing had been providing and receiving support on Facebook for six years when she discovered her health support group on the platform wasn’t as private as she thought.
Downing had joined the BRCA Sisterhood, a Facebook group that now includes around 9,500 women with hereditary cancer risk-related mutations, to find help coping with her own BRCA1 mutation. BRCA1 and BRCA2 mutations increase the risk of breast and ovarian cancer, as well as some other types of cancer.
The BRCA Sisterhood was a closed group, meaning only members could see posts made in the group. This setting gave members—not all of whom are open about their mutations elsewhere—a sense of privacy.
But in 2018, as she read about how the political consulting firm Cambridge Analytica had gathered information from Facebook users without their permission, Downing started to wonder what information about her group’s members was available to outsiders.
Downing, who had worked in the technology industry, began to explore tools available to developers who make software that interfaces with Facebook. She realized she could download en masse the names and other data, such as hometown, employer, phone number and email address, associated with the profiles of every woman in the BRCA Sisterhood group. Because women must have mutations linked to hereditary cancer to join the group and Facebook users are required to provide their full names, this was tantamount to providing a list of women with specific inherited mutations.
Before widely sharing her concerns, Downing sought advice from Fred Trotter, an expert in cybersecurity and founder and chief technology officer of the health data analysis company CareSet Systems in Houston. Trotter, whom Downing had met previously at a health conference, told her she had uncovered a security vulnerability that she needed to report privately to Facebook before telling others about it, a practice called responsible disclosure. “That was the start of my crash course in cybersecurity and responsible disclosure,” Downing says.
People affected by cancer say they have found support online that they could not find anywhere else. But even as patients find unparalleled connections, they are also asking about the privacy implications of sharing personal health information in the online spaces where their communities have taken root.
“Disclosure has always been a challenge … but social media just provides so many more opportunities for people to have their disclosure choices taken away from them,” says attorney Joanna Morales, the co-founder and chief executive officer of Triage Cancer, a nonprofit organization based in Malibu, California, that provides education on legal and practical issues for people affected by cancer.
Soon after Downing and Trotter reported the vulnerability, which Downing dubbed SicGRL, Facebook made changes so that nonmembers of a closed group could no longer view or download a membership list. (Facebook recently changed the name of these groups from closed to private.) Facebook has said that SicGRL did not constitute a privacy loophole and that changes to its settings were not a response to the report made by Downing and Trotter. In years prior to this change, Facebook explained on a help page that anyone could see membership in a closed group, although Trotter points out that using automated means to download members’ names from a group violated the Facebook terms of service. Regardless, Downing and Trotter say that moderators and group members often did not realize that membership was public.
Downing and Trotter, along with other experts and leaders in various Facebook communities, have since founded a nonprofit organization, the Light Collective, to help members of online patient support groups assess their security and privacy and develop better practices for maintaining online communities.
“Thinking about the value of a community and the vulnerabilities of a community is an important shift in thinking for patient support groups,” Downing says. “I think we can bridge that gap.”
Decisions About Disclosure
A first step for patients seeking support online, says Morales of Triage Cancer, is to stop and ask themselves how much they want to share with others.
“You turn to the social media groups without really thinking past ‘I just want help,’” says Karl Surkan, a health activist and gender studies lecturer at Massachusetts Institute of Technology in Cambridge who is part of the advisory board for the Light Collective.
Some people are comfortable being open about their health. Surkan has shared in news articles and on social media his experience as someone who is transgender, has a BRCA1 mutation and was diagnosed with breast cancer. “You have to kind of balance the gain versus the risk,” Surkan says. “For me, I think, being an educator and an activist, I felt it was more important to have my story be there in public than to maintain that ironclad privacy.”
Karen Lazarovitz of Montreal learned about her BRCA2 mutation in 2008 at age 34. She says she started the BRCA Sisterhood Facebook group in 2009 with one other woman, who lived in California, as a safe place for peers to discuss things. Lazarovitz has been featured in news articles and shares her story publicly on her Instagram, Facebook and Twitter profiles. But she feels a responsibility toward members of the BRCA Sisterhood who do not want to be so open.
“Everybody deals with their own challenges differently,” Lazarovitz says. “You don’t need to be that person who always speaks up.”
Consequences of Sharing
There can be very good reasons for wanting a diagnosis to be private. Liz Salmi was diagnosed with a slow-growing brain cancer called astrocytoma in 2008 at age 29 and initially did not want future employers to find out about her diagnosis.
Salmi checked the settings on her Facebook account to make sure that people who were not her friends could not see her posts. She joined Twitter using the handle @TheLizArmy, purposely leaving out her last name. She searched for herself online to make sure her cancer diagnosis did not come up. “I was afraid about being discriminated against by employers,” Salmi says.
Salmi went on to co-found the #btsm Twitter community, which holds monthly chats about brain tumors, in 2013. However, she only started using her full name on Twitter in 2016, after she began working in health care.
Workplace discrimination is a valid concern for cancer patients, according to Rebecca Nellis, executive director of the nonprofit organization Cancer and Careers, which helps cancer patients and survivors navigate issues surrounding employment. “You do need to know that in the work space, there is a good chance people are going to Google you, so it’s important to be aware of your online footprint,” she says.
There are some legal protections against discrimination based on a cancer diagnosis in employment, health insurance, housing and education, says Morales. There are also protections against discrimination based on hereditary mutations in employment and health insurance. However, it can be difficult to prove one has been discriminated against due to a health condition and not passed over for some other reason. “The bottom line is we see discrimination,” says Morales.
Disability insurers may monitor patients’ social media activity to help determine if they qualify for the benefits they are receiving.
There are other areas where patients’ health information can be used against them in ways that are perfectly legal. While health insurers currently are not permitted to deny coverage or charge patients more because of preexisting conditions or hereditary mutations, providers of disability, life and long-term care insurance can deny coverage and set premiums based on health history or genetics in many states, says Morales. Disability insurers also search patients’ social media and can use that information to contest claims.
People may also not want their children, other family members, friends or romantic prospects to find out online about their cancer diagnosis or genetic mutations. “This issue can also come up in a meaningful way after a diagnosis when it comes to dating and relationships,” says Nellis. “How much [information] do you want online about your cancer experience before you’ve had a glass of wine or a cup of coffee with someone?”
Searching for Solutions
Patients can maintain some control over their online privacy by being mindful about the types of information they post.
Matthew Katz, a radiation oncologist, is active in several Twitter communities that hold regular cancer-related chats. He advises that “the best way to consider starting is to not interact initially, but only to observe and get a feel for the environment of what is shared online to get some sense of what you’re comfortable with.” Katz practices medicine at Radiation Oncology Associates in Lowell, Massachusetts, and Manchester, New Hampshire.
Some patients may want to advocate for a topic that is important to them, Katz says, while being private about other aspects of their diagnosis or treatment. As open as Salmi is today, she says she doesn’t share every detail about her medical care online, choosing instead to divulge information related to the issues she is passionate about.
For others, being mindful might mean thinking carefully about the tone of disclosures or about how their story appears to outsiders. Someone concerned about getting a job might consider “curating how you share that experience [of cancer] so that if a current or future employer sees it, it is seen through a framework that works better for the employment space,” says Nellis. That could mean taking down old posts, or it could mean posting new social media or blog posts that provide more recent context to one’s experience.
Katz warns that platforms like Facebook that appear to provide privacy may give patients a false sense of security. “I think people just need to be aware that whatever becomes digital is potentially public, regardless of whether the platform says it’s going to be private or not,” Katz says.
The rise of crowdfunding by cancer patients and their families and friends comes with privacy concerns.
On a single day in 2018, researchers identified more than 37,000 crowdfunding campaigns on the platform GoFundMe that were raising money to help people with cancer, according to a study published Sept. 9, 2019, in JAMA Internal Medicine.
People who are setting up these campaigns may not realize they may be disclosing sensitive health information, according to Jeremy Snyder, a bioethicist who studies medical crowdfunding at Simon Fraser University in Burnaby, British Columbia. Snyder was not involved in the JAMA Internal Medicine study.
Crowdfunding campaigns can be indexed by search engines. “Even if you are targeting the crowdfunding campaign at your friends and family or neighbors and you’re not trying to go viral or reach a huge [audience], this is a public document,” Snyder says.
People starting crowdfunding campaigns are typically advised to “provide as much detail as possible,” according to Snyder, including information about the diagnosis and exactly how money will be used. People are also told to post pictures and frequent updates. “If you’re going to go down the route and actually succeed, then you do fundamentally have to give up your privacy,” Snyder says.
Joanna Morales, a co-founder of the nonprofit organization Triage Cancer, points out another problematic aspect of crowdfunding: The patient often does not create the campaign. A family member or friend may end up sharing another person’s health information without permission. “It comes from such a good place,” Morales says, “but if that person didn’t want to disclose … then that’s just one more place where people are being outed.”
The Rise of Big Data
Patients can take basic precautions, but it can be hard to seek support on the internet without leaving a trace. “I think at some point, unless you have no online footprint, companies are collecting data,” says Morales.
The Health Insurance Portability and Accountability Act (HIPAA) restricts how health care providers and health insurers can share the health information of people receiving care from them or whom they insure. But this protection does not apply to most websites where cancer patients form support groups.
The Federal Trade Commission (FTC) can crack down on unfair or deceptive practices surrounding privacy by businesses. The FTC also states that personal health record companies—companies that offer patients a space to store their health information electronically—must notify patients when there is a data breach that releases health information. Trotter and Downing say that Facebook has marketed itself as a space for patients to share health information and that it is therefore a personal health record company. The FTC has not taken action to indicate that it classifies Facebook as such.
Anyone who was willing to violate the terms and conditions of Facebook could have used automated means to compile full lists of members of health support groups while the SicGRL vulnerability went uncorrected, says Trotter, and a malicious actor could still join groups under false pretenses to gather data. The uses of the data could range from targeted marketing to blackmail against people who didn’t want their data shared.
Websites can also track what pages users visit and their behavior and either use the data themselves or sell it. Companies might use browsing data to target advertising at people they believe to be breast cancer patients, for instance. Or data gathered from patients’ online behavior could be combined with banking records, shopping records and data from other sources “to present these very multidimensional … representations of who you are and what you do, which are sold to all kinds of institutions that have real impact on our lives,” such as credit monitoring agencies, explains Kirsten Ostherr, a media scholar, health researcher and technology analyst at Rice University in Houston.
Mary Ebeling, a sociologist who studies big data and health care at Drexel University in Philadelphia, says that as long as patients are participating in the financial or medical system, they are sharing their health data in some form. Companies can gather detailed information on where people spend their money, including spending on health care. They also can collect large swaths of de-identified data on prescriptions and other interactions with the health care system. And companies make educated guesses about a person’s health based on characteristics like race, education, neighborhood and spending habits. “It goes beyond online data,” Ebeling says. “That is the tip of the data iceberg.”
Organizations offer guidance for cancer patients seeking to better understand their online footprints.
Cancer and Careers offers a guide to help cancer patients manage their online footprints.
Triage Cancer provides a primer on making decisions about disclosure, including tips for sharing information about cancer online.
As Downing and other members of the BRCA and cancer communities discussed their growing concerns about who could see their health data and how it was being used, they began to think about a name for their group. An early name floated was Operation Lifeboat, Downing recalls, because members saw the BRCA Sisterhood as stranded on Facebook.
The group ultimately rejected that name because it came from a place of fear. People seeking online support for cancer or a BRCA mutation are already going through trauma, says Downing. “The last thing people need right now is to be scared.” The group decided it wanted to instead act as a lighthouse that would help support groups foster positive and safe connections.
Downing received a grant from the Robert Wood Johnson Foundation to hold the Project Lighthouse summit in March 2019 in Washington, D.C., to discuss how to foster more secure, transparent and sustainable online communities. Out of that summit emerged the Light Collective.
In a blog post titled “Our Cancer Support Group on Facebook Is Trapped,” Downing asked leaders of other Facebook support groups who have similar concerns to get in touch. So far, more than 30 leaders and organizers of Facebook support groups for cancer patients and people with other health conditions have replied, Downing says. These leaders’ groups have a total of more than 50,000 members.
The purpose of the Light Collective isn’t to tell people to leave Facebook and move to a specific platform, Downing says. Instead, the organization supports communities in making their own decisions about what platforms to use and how to govern and protect their groups. The Light Collective has so far created guidelines for forming fair partnerships and protecting one’s group from security threats.
Downing is making it her responsibility to investigate these things because of how important the online support has been to her, she says. Her mother was diagnosed with stage III breast cancer when Downing was 3 years old, and many of her earliest memories are of not knowing if her mother would live or die. Downing first learned about her BRCA1 mutation in 2005, at age 25, but she didn’t seek out others with BRCA mutations until 2012 in the months before receiving a preventive mastectomy. Before seeking support online, she remembers being isolated and terrified of her future.
“It took me … years to realize the immense value of support from people who were going through the same thing I was, in addition to support from the medical and scientific communities,” Downing says. “I think we don’t do justice to the power and clinical efficacy of peer support as we navigate a health care system that often doesn’t know these communities’ needs. We fill the gaps with each other, and I want to protect that.”
Cancer Today magazine is free to cancer patients, survivors and caregivers who live in the U.S. Subscribe here to receive four issues per year.