Meta Plugin Nabs Sensitive Data from Healthcare Websites
July 11, 2022
Never one to let privacy concerns stand in its way, Meta (formerly known as Facebook) has apparently been using its Meta Pixel plugin to collect some of the most delicate data from its healthcare clients. The Markup investigated the matter and shares the results in, “Facebook Is Receiving Sensitive Medical Information from Hospital Websites.” Reporters Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu tell us:
“A tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook. The Markup tested the websites of Newsweek’s top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.”
The investigation also found Meta Pixel installed on seven health systems’ patient portals, five of which they documented sending real, password-“protected” patient data straight to Facebook. The detailed article shares some examples of data they caught Pixel collecting and several requisite CYA statements from hospitals and Meta itself. It also explains why hashing is an inadequate, and even duplicitous, privacy measure.
Though Meta-book is not subject to HIPAA regulations, hospitals and healthcare systems certainly are. The authors report:
“Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts. Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.”
The authors are unsure how Meta is using this ill-gotten data, observing it could be for advertising, algorithm-training, or other profitable purposes. For its part, the company points to its health information filtering system that is supposed to block such sensitive data from its own grasp. Though, even it admits, that filter is “not yet operating with complete accuracy.” You don’t say. To their credit, several hospitals and health systems removed the plugin once the Markup showed them its findings. So some entities value patient privacy, or at least respect the threat of HIPAA-related prosecution. And it seems other enterprises never will.
Cynthia Murrell, July 11, 2022