Facebook is receiving sensitive medical information from hospital websites

Aurich Lawson | Getty Images

A monitoring tool installed on the websites of many hospitals collected sensitive health information from patients, including details about their medical conditions, prescriptions, and doctor’s appointments, and sent it to Facebook.

The Markup tested the websites of Newsweek’s 100 Best Hospitals in America. On 33 of them we found the tracker, called Meta Pixel, which sent a packet of data to Facebook every time a person clicked a button to make a doctor’s appointment. The data is linked to an IP address, a similar identifier to a computer’s postal address, and can generally be linked to a specific individual or family, creating an intimate receipt of the appointment request for Facebook.

On the University Hospitals Cleveland Medical Center website, for example, by clicking on the “Online Program” button on a doctor’s page, Meta Pixel sent the text of the button, the doctor’s name and the search term we have to Facebook used to find it: “termination of pregnancy”.

By clicking the “Schedule Online Now” button for a doctor on the Froedtert Hospital, Wisconsin website, the Meta Pixel requested Facebook to send Facebook the button text, doctor’s name and the condition we selected from a drop-down menu: “Alzheimer’s.”

The markup also found the Meta Pixel installed within the password-protected patient portals of seven healthcare systems. On five of these systems pages, we documented the pixel sending data to Facebook about real patients who had volunteered to participate in the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. The project is a crowdsourcing venture where anyone can install Mozilla’s Rally browser add-on to send Markup data to the Meta Pixel as it appears on the sites they visit. Data sent to hospitals included the patients’ drug names, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

Former regulators, health data security experts and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits data subjects such as hospitals from sharing personally identifiable health information with third parties such as Facebook, unless an individual has expressly consented in advance or under certain contracts.

Neither the hospitals nor Meta claimed to have such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining explicit consent from patients.

“I am deeply troubled by what [the hospitals] they are doing by capturing their data and sharing it, “said David Holtzman, a health privacy consultant who previously worked as a senior privacy consultant in the Department of Health’s Civil Rights Office. and US Human Services, which enforces HIPAA. “I can’t tell [sharing this data] it is definitely a HIPAA violation. It is very likely that this is a violation of HIPAA. “

Cleveland Medical Center spokesman for university hospitals George Stamatis did not answer questions from The Markup, but said in a brief statement that the hospital “involves[s] with all applicable federal and state laws and regulatory requirements.

After reviewing The Markup’s findings, Froedtert Hospital removed the Meta Pixel from its website “out of plenty of caution,” Steve Schooff, a hospital spokesman, wrote in a statement.

As of June 15, six other hospitals had also removed pixels from their appointment booking pages, and at least five of the seven healthcare systems that had installed Meta Pixel on patient portals had removed those pixels.

According to the most recent data available from the American Hospital Association, the 33 hospitals The Markup detected by submitting patient appointment details to Facebook collectively reported over 26 million patient admissions and outpatient visits in 2020. Our survey was limited. to just over 100 hospitals; data sharing likely affects far more patients and institutions than we have identified.

Facebook itself is not subject to HIPAA, but the experts interviewed for this story expressed concern about how the advertising giant might be using the personal health data it is collecting for its own profit.

“This is an extreme example of how Big Tech’s tentacles reach out to exactly what we consider a secure data space,” said Nicholson Price, a University of Michigan law professor who studies big data and healthcare. “I think this is disturbing, problematic and potentially illegal” from the perspective of the hospitals.

The markup was unable to determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or otherwise profit.