Looking for an at-home HIV test on CVS’ website is not as private an experience as one might think. An investigation by The Markup and KFF Health News found trackers on CVS.com telling some of the biggest social media and advertising platforms the products customers viewed.

They found trackers collecting browsing- and purchase-related data on websites of 12 of the U.S.’ biggest drugstores, including grocery store chains with pharmacies, and sharing the sensitive information with companies like Meta (formerly Facebook), Google through its advertising and analytics products; and Microsoft, through its search engine, Bing.

The tracking tools, popularly called “pixels,” collect information while a website runs. That information is often sent to social media firms and used to target ads, either to you personally or to groups that resemble you in demographics or habits. In previous investigations, The Markup found pixels transmitting information from the Department of Education, prominent hospitals, telehealth startups, and significant tax preparation companies.

Many retailers shared other detailed interaction data with advertising platforms as well. Ten of the retailers we examined alerted at least one tech platform when shoppers clicked “add to cart” as they shopped for retail goods, a capacious category that included sensitive products like prenatal vitamins, pregnancy tests, and Plan B emergency contraception.

Supermarket giant Kroger, for instance, informed Meta, Bing, Twitter, Snapchat, and Pinterest when a shopper added Plan B to the cart and informed Google and Nextdoor, a social media platform on which people from the same neighborhood gather in forums, that a shopper had visited the page for the item. Walmart informed Google’s advertising service when a shopper browsed the page of an HIV test and Pinterest when that shopper added it to the cart.

In the U.S., drugstores and grocery stores with associated pharmacies are only partially covered by the Health Insurance Portability and Accountability Act, or HIPAA. The prescriptions picked up from the pharmacy counter do have this protection.

Using the Firefox web browser’s Network Monitor tool and with the help of a patient with an active prescription at Rite Aid, KFF Health News and The Markup also found Rite Aid sending the names of patients’ specific prescriptions to Facebook. Rite Aid kept sharing prescription names even after the company stopped sharing answers to vaccination questions in response to the proposed class action (which did not mention the sharing of prescription information). Rite Aid did not respond to requests for comment, and as of June 23, the pixel was still present and sending the names of prescriptions to Facebook.

So what’s going on here?

Advertising on the internet is big money, and your privacy is being compromised. When I was doing research for a client on diabetes, I was suddenly bombarded with ads for diabetes products.

Pharma companies should add a callout on their websites that state that your personal information will never be shared with ANYONE.