from the Mark-Zuckerberg,-M.D. dept.
A tracking tool installed on many hospitals' websites has been collecting patients' sensitive health information—including details about their medical conditions, prescriptions, and doctor's appointments—and sending it to Facebook. The Markup tested the websites of Newsweek's top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor's appointment. The data is connected to an IP address—an identifier that's like a computer's mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.
[...] The Meta Pixel sends information to Facebook via scripts running in a person's internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household.
HIPAA lists IP addresses as one of the 18 identifiers that, when linked to information about a person's health conditions, care, or payment, can qualify the data as protected health information. Unlike anonymized or aggregate health data, hospitals can't share protected health information with third parties except under the strict terms of business associate agreements that restrict how the data can be used.
In addition, if a patient is logged in to Facebook when they visit a hospital's website where a Meta Pixel is installed, some browsers will attach third-party cookies—another tracking mechanism—that allow Meta to link pixel data to specific Facebook accounts.
[...] Houston Methodist Hospital, in Texas, was the only institution to provide detailed responses to The Markup's questions. The hospital began using the pixel in 2017, spokesperson Stefanie Asin wrote, and is "confident" in Facebook's safeguards and that the data being shared isn't protected health information.
[...] Asin added that Houston Methodist believes Facebook "uses tools to detect and reject any health information, providing a barrier that prevents passage of [protected health information]."
[...] "The evil genius of Facebook's system is they create this little piece of code that does the snooping for them and then they just put it out into the universe and Facebook can try to claim plausible deniability," said Alan Butler, executive director of the Electronic Privacy Information Center. "The fact that this is out there in the wild on the websites of hospitals is evidence of how broken the rules are."
Meta may have scooped up sensitive medical information without consent. The Verge reports that two proposed class-action lawsuits accuse the company and hospitals of violating HIPAA, the California Invasion of Privacy Act and other laws by collecting patient data without consent. Meta's Pixel analytic tracking tool allegedly sent health statuses, appointment details and other data to Facebook when it was present on patient portals.
In one lawsuit from last month, a patient said Pixel gathered data from the UC San Francisco and Dignity Health portals that was used to deliver ads related to heart and knee issues. The second lawsuit, from June, is broader and claims at least 664 providers shared medical info with Facebook through Pixel.
[...] They also follow a string of privacy-related US legal action against the social media giant. Meta is facing a DC Attorney General suit over Cambridge Analytica's collection of more than 70 million Americans' personal data. The company is also grappling with lawsuits over its deactivated facial recognition system, and only this year settled a 2012 class-action over the use of tracking cookies. These latest courtroom battles suggest that concerns about Meta's data gathering practices are far from over, even as the company makes its own efforts to crack down on misuse.
Meta is facing mounting questions about its access to sensitive medical data following a Markup investigation that found the company's pixel tracking tool collecting details about patients' doctor's appointments, prescriptions, and health conditions on hospital websites.
During a Senate Homeland Security and Governmental Affairs Committee hearing on Wednesday, Sen. Jon Ossoff (D-GA) requested that Meta—the parent company of Facebook and Instagram—provide a "comprehensive and precise" accounting of the medical information it keeps on users.
[...] In response to Ossoff's question about whether Meta has medical or health care data about its users, Meta chief product officer Chris Cox responded, "Not to my knowledge." Cox also promised to follow up with a written response to the committee.
[...] "Advertisers should not send sensitive information about people through our Business Tools," Meta spokesperson Dale Hogan wrote to The Markup in an emailed statement. "Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect."
Meanwhile, developments in another legal case suggest Meta may have a hard time providing the Senate committee with a complete account of the sensitive health data it holds on users.