Facebook is notorious for several scandals that suggest a lax approach to privacy. Now, another case has been reported by The Markup: a tracking tool installed on many US hospitals’ websites collects sensitive medical data from patients – including details about their health, prescriptions and doctor’s visits – and sends it to Facebook.
The Markup magazine has tested the websites of hundreds of major US hospitals. On 33 of them found the tracking element Meta Pixel sends a data package to Facebook when the user clicks the button to order to the doctor. This data is associated with an IP address – an identifier that can generally be associated with a specific person or household.
They ordered a doctor, Facebook got an echo
For example, on the University Hospitals Cleveland Medical Center website, when I clicked the “Schedule Online” button on the doctor’s page, Meta Pixel appeared, sending Facebook the button text, the doctor’s name, and the search term used by the editors to find him – specifically in this case. “Abortion”.
Click on the “Schedule Online” button at the doctor’s website at Froedtert Hospital in Wisconsin Meta Pixel posted by Facebook button text, doctor’s name and status selected by the editors from the drop-down menu – “Alzheimer’s disease”.
In addition, The Markup found that Meta Pixel is installed in seven healthcare systems on patient portals, which can only be accessed after logging in. The data sent included drug names, descriptions of allergic reactions, and details of upcoming doctor visits.
Reasons for deep concern
Health data security experts and privacy advocates, who read The Markup’s findings, said the hospitals in question could violate federal law, which prohibits entities from sharing identifiable health data with third partiessuch as Facebook, unless the individual expressly agrees in advance or under certain agreements.
Neither the hospitals nor Meta indicated that they had such contracts, and The Markup found no evidence that any of the parties involved would demonstrably obtain the explicit consent of patients in any other way.
“I am deeply concerned what they (hospitals) do with collecting and sharing their data, “ said David Holtzman, a health care consultant who previously served as chief privacy adviser at the U.S. Department of Health and Human Services’ Civil Rights Bureau.
Threats to the privacy of millions of patients
Medical facilities have different approaches to detection. For example, University Hospitals Cleveland Medical Center spokesman George Stamatis did not answer questions, but said in a brief statement that the hospital “Complies with all applicable federal and state laws and regulatory requirements”. Froedtert Hospital preferred to remove Meta Pixel from its website after reviewing the findings.
As of June 15, Meta has removed Pixels from its booking dates website as well six other hospitals and at least five out of seven medical systems that had Meta Pixels installed on their patient portals removed their code.
According to available data from the American Hospital Association, 33 hospitals that were found to send patient visits to Facebook reported a total of more than 26 million hospitalized and outpatient visits in 2020. It can be assumed that data sharing is likely to involve many more patients and institutions.
What was Facebook for?
Facebook itself is not subject to hospital laws, but experts have expressed concern that how the advertising giant could use the collected health data for its own profit. “This is an extreme example of how far the tentacles of big technology reach into what we consider protected.” said Nicholson Price, a professor of law at the University of Michigan. “I think it’s scary, problematic and potentially illegal.”
The Markup was unable to determine whether Facebook used the data to target the ad, train its referral algorithms, or otherwise profit. The parent company of Facebook – Meta – did not comment on this topic.
Meta Pixel tracks users as they browse websites and records which sites they visited, which buttons they clicked, and what information they entered into forms. It is one of the most widespread tracking tools on the Internet – it is present on more than a third of the most popular websites. In exchange for the installation, Meta provides website owners with analytics about the ads they have placed on Facebook and Instagram, and tools for targeting people who have visited their websites.