Facebook receives sensitive medical information from hospital websites, through a tracking tool installed on their portals

A tracking tool installed on the websites of many hospitals collects sensitive health information from patients, including details about their health, prescriptions and doctors’ appointments, and sends it to Facebook.

Markup tested the websites of the 100 largest US hospitals on Newsweek and here are the results of their investigation: Among 33 of them, we found the tracker, called the Meta Pixel, sending Facebook a packet of data every time a person clicked a button to schedule a doctor’s appointment. The data is logged to an IP address – an identifier that looks like a computer’s postal address and can usually be associated with a specific person or family – resulting in an intimate reception of a date request on Facebook.

Most of the hospitals on the front page that had the tracker on their websites didn’t remove it after, after Contact us through The Markup

On the University of Cleveland Medical Center Hospitals website, for example, clicking the Book an Online Appointment button on the Doctor’s page prompts the Meta Pixel to send the button’s text and the doctor’s name and name to Facebook. The search term that was used to find it: Termination of Pregnancy.

By pressing the Book a Doctor’s Appointment Online button at Froedtert Hospital in Wisconsin, Meta Pixel sends the text of the button, the doctor’s name, and the condition that The Markup selected from the dropdown list: Alzheimer’s.

Markup also found the Meta Pixel installed inside password-protected patient portals for seven healthcare systems. On five of the systems pages, The Markup documented the pixel sending Facebook data about real patients who volunteered to participate in Project Pixel Hunt, a collaboration between The Markup and Mozilla Rally. The project is a crowdsourced endeavor where anyone can install the Mozilla Rally browser add-on to send Markup data to the Meta Pixel as it appears on the sites they visit. Data sent to hospitals included patients’ medication names, descriptions of their allergic reactions, and details of upcoming doctor’s appointments.

Previous regulators, health data security experts and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Data Accountability and Portability Act. Health Insurance (HIPAA). Covered entities such as hospitals are prohibited by law from sharing personal health information with third parties such as Facebook, except where the individual has expressly agreed beforehand or under certain contracts.

Neither the hospitals nor the Meta said they had such contracts, and The Markup found no evidence that either the hospitals or the Meta obtained explicit consent from patients.

I’m so upset about what [les hpitaux] I can’t say that, said David Holtzman, a health privacy advisor who previously served as a senior privacy advisor for the US Department of Health and Human Rights and the Office of Civil Rights Services, which enforces HIPAA. [partager ces donnes] It is definitely a violation of HIPAA. But this is most likely a HIPAA violation.

University Hospitals Cleveland Medical Center spokesman George Stamatis did not respond to questions from The Markup, but did release a brief statement saying the hospital is in compliance with all applicable federal laws, regulatory requirements and policies.

“Following a review of The Markup’s results, Froedtert Hospital has removed the Meta Pixel from its website out of great caution,” hospital spokesperson Steve Shove wrote in a statement.

As of June 15, six other hospitals have also removed pixels from their appointment booking pages, and at least five of the seven healthcare systems that have installed Meta Pixels in their patient portals have removed these pixels.

The 33 hospitals that Facebooking found details of patients’ appointments collectively reported more than 26 million admissions and outpatient visits in 2020, according to the latest available data from the American Hospital Association. Markup’s survey was limited to just over 100 hospitals; Sharing data will likely affect many more patients and facilities than The Markup can identify.

Facebook itself is not subject to HIPAA, but experts interviewed for this story expressed concerns about how the advertising giant uses the personal health data it collects for its own benefit.

“It’s a stark example of the precise reach of the tentacles of big technology into what we consider a protected data space,” said Nicholson Price, a University of Michigan law professor who studies big data and healthcare. I think it’s scary, problematic, and potentially illegal from a hospital perspective.

Markup was unable to determine whether Facebook was using the data for targeted advertising, training its recommendation algorithms, or profiting in other ways.

Meta, the parent company of Facebook, did not respond to questions. Instead, spokesperson Dale Hogan sent a brief email reframing the company’s policy on sensitive health data: If Meta Signal Filtering systems detect that a company is sending sensitive health data from their app or website through their use of Meta Business Tools, Which in some cases may occur by mistake, such sensitive data will be removed before it is stored in our advertising systems.”

Meta did not respond to follow-up questions, but Hogan appears to be referring to a system to filter sensitive health information the company launched in July 2020 in response to an article in the Wall Street Journal and an investigation by the New York Department of Financial Services. Meta told investigators that the filtration system “is not yet working with complete accuracy,” according to the department’s final report in February 2021.

Markup was unable to confirm if any of the data referenced in this story was actually deleted before it was stored by Meta. However, a recent joint investigation with Reveal found that Meta’s system for filtering sensitive health information did not block information about the reporter’s requested appointments with crisis pregnancy centers.

Internally, Facebook employees have been upfront about how the company generally protects sensitive data: We don’t have a sufficient level of control and explainability over how our systems use data, and therefore, we can’t confidently make policy-controlled changes or external commitments like Facebook engineers said to the advertising and commercial products team in a memo. About privacy in 2021 leaked to the press: “We will not use X data for Y purposes.”

Almost all patients will be shocked

Meta Pixel is a snippet of code that tracks users as they navigate a website, recording the pages they visit, the buttons they click, and certain information they enter into forms. It is one of the most popular tracking tools on the Internet, and is present on more than 30% of the most popular sites on the web, according to an analysis by The Markup.

In exchange for pixel binning, Meta provides website owners with analytics about the ads they’ve placed on Facebook and Instagram, and tools to target people who have visited their website.

The Meta Pixel sends Facebook information through scripts that run in a person’s Internet browser, marking each packet of data with an IP address that can be used with other data to identify an individual or group.

HIPAA lists IP addresses as one of 18 identifiers that, when associated with information about a person’s health status, care, or payment, could qualify the data as Protected Health Information. Unlike anonymized or aggregated health data, hospitals can only share PHI with third parties under the strict terms of business partner agreements that limit how the data can be used.

Additionally, if a patient is logged into Facebook when visiting a hospital website where the Meta Pixel is installed, some browsers attach third-party cookies – another tracking mechanism – that allow the Meta to associate pixel data from specific Facebook accounts.

And in many cases, The Markup — using both dummy accounts created by its journalists and data from Mozilla Rally volunteers — has found that the Meta Pixel made it easier to identify patients.

When The Markup clicked the Complete Booking button on the doctor’s page at Scripps Memorial Hospital, the pixel sent not only the doctor’s name and field of medicine to Facebook, but also the first and last name, email address, phone number, zip code, and city of residence that The Markup had entered in Reservation form.

Meta Pixel hashed those personal details – masking them with some form of encryption – before sending them to Facebook. But this hash does not prevent Facebook from using the data. In fact, Meta explicitly uses the hashed information to associate pixel data with Facebook profiles.

Using a free online tool, The Markup was also able to reverse most of the fragmented test information that the pixel on the Scripps Memorial Hospital website had sent back to Facebook.

Scripps Memorial did not respond to questions from The Markup, but did remove the Meta Pixel from the final web pages of the mapping process after receiving The Markup’s results.

On other hospital websites, trust The Markup Meta Pixel that collects similarly intimate information on real patients.

When a real patient involved in the Pixel Hunt study logged into the MyChart portal for Piedmont Healthcare, a Georgian health system, the Facebook-installed Meta Pixel showed the patient’s name, their doctor’s name, and the time of their next appointment, based on data collected by the Mozilla Rally browser extension. participant’s.

Source: The Markup

And you?

How do you read this position?

See also:

Meta expects to raise approximately 50% of the revenue generated by creators in Horizon Worlds, and considers its virtual reality platform as part of its project to create the metaverse.
Meta, the parent company of Facebook, is no longer among the 10 most valuable companies. Meta lost $513 billion in market capitalization within a few months
Meta threatens to pull Facebook and Instagram from the European market if the group is no longer allowed to share European user data with the United States

Leave a Comment