Meta Plugin Nabs Sensitive Data from Healthcare Websites

July 11, 2022

Never one to let privacy concerns stand in its way, Meta (formerly known as Facebook) has apparently been using its Meta Pixel plugin to collect some of the most delicate data from its healthcare clients. The Markup investigated the matter and shares the results in, “Facebook Is Receiving Sensitive Medical Information from Hospital Websites.” Reporters Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu tell us:

“A tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook. The Markup tested the websites of Newsweek’s top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.”

The investigation also found Meta Pixel installed on seven health systems’ patient portals, five of which they documented sending real, password-“protected” patient data straight to Facebook. The detailed article shares some examples of data they caught Pixel collecting and several requisite CYA statements from hospitals and Meta itself. It also explains why hashing is an inadequate, and even duplicitous, privacy measure.

Though Meta-book is not subject to HIPAA regulations, hospitals and healthcare systems certainly are. The authors report:

“Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts. Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.”

The authors are unsure how Meta is using this ill-gotten data, observing it could be for advertising, algorithm-training, or other profitable purposes. For its part, the company points to its health information filtering system that is supposed to block such sensitive data from its own grasp. Though, even it admits, that filter is “not yet operating with complete accuracy.” You don’t say. To their credit, several hospitals and health systems removed the plugin once the Markup showed them its findings. So some entities value patient privacy, or at least respect the threat of HIPAA-related prosecution. And it seems other enterprises never will.

Cynthia Murrell, July 11, 2022

Written by Stephen E. Arnold · Filed Under Business strategy, Facebook, News

Comments

Comments are closed.

Search the site
Subscribe to Beyond Search
Feature archive
News archive

Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.