from the we-are-(again)-very-sorry-and-promise-to-do-better dept.
Facebook may have violated patient privacy laws:
Meta may have scooped up sensitive medical information without consent. The Verge reports that two proposed class-action lawsuits accuse the company and hospitals of violating HIPAA, the California Invasion of Privacy Act and other laws by collecting patient data without consent. Meta's Pixel analytic tracking tool allegedly sent health statuses, appointment details and other data to Facebook when it was present on patient portals.
In one lawsuit from last month, a patient said Pixel gathered data from the UC San Francisco and Dignity Health portals that was used to deliver ads related to heart and knee issues. The second lawsuit, from June, is broader and claims at least 664 providers shared medical info with Facebook through Pixel.
[...] They also follow a string of privacy-related US legal action against the social media giant. Meta is facing a DC Attorney General suit over Cambridge Analytica's collection of more than 70 million Americans' personal data. The company is also grappling with lawsuits over its deactivated facial recognition system, and only this year settled a 2012 class-action over the use of tracking cookies. These latest courtroom battles suggest that concerns about Meta's data gathering practices are far from over, even as the company makes its own efforts to crack down on misuse.
Previously: Facebook is Receiving Sensitive Medical Information From Hospital Websites – the Markup
Related Stories
A tracking tool installed on many hospitals' websites has been collecting patients' sensitive health information—including details about their medical conditions, prescriptions, and doctor's appointments—and sending it to Facebook. The Markup tested the websites of Newsweek's top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor's appointment. The data is connected to an IP address—an identifier that's like a computer's mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.
[...] The Meta Pixel sends information to Facebook via scripts running in a person's internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household.
HIPAA lists IP addresses as one of the 18 identifiers that, when linked to information about a person's health conditions, care, or payment, can qualify the data as protected health information. Unlike anonymized or aggregate health data, hospitals can't share protected health information with third parties except under the strict terms of business associate agreements that restrict how the data can be used.
In addition, if a patient is logged in to Facebook when they visit a hospital's website where a Meta Pixel is installed, some browsers will attach third-party cookies—another tracking mechanism—that allow Meta to link pixel data to specific Facebook accounts.
Meta is facing mounting questions about its access to sensitive medical data following a Markup investigation that found the company's pixel tracking tool collecting details about patients' doctor's appointments, prescriptions, and health conditions on hospital websites.
During a Senate Homeland Security and Governmental Affairs Committee hearing on Wednesday, Sen. Jon Ossoff (D-GA) requested that Meta—the parent company of Facebook and Instagram—provide a "comprehensive and precise" accounting of the medical information it keeps on users.
[...] In response to Ossoff's question about whether Meta has medical or health care data about its users, Meta chief product officer Chris Cox responded, "Not to my knowledge." Cox also promised to follow up with a written response to the committee.
[...] "Advertisers should not send sensitive information about people through our Business Tools," Meta spokesperson Dale Hogan wrote to The Markup in an emailed statement. "Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect."
Meanwhile, developments in another legal case suggest Meta may have a hard time providing the Senate committee with a complete account of the sensitive health data it holds on users.
Lawmakers want HHS to revise health privacy law to require warrants:
All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation.
The revelation raises grave medical privacy concerns, particularly in a post-Dobbs era in which many states are working to criminalize reproductive health care. Even if people in states with restrictive laws cross state lines for care, pharmacists in massive chains, such as CVS, can access records across borders.
Lawmakers noted the pharmacies' policies for releasing medical records in a letter dated Tuesday to the Department of Health and Human Services (HHS) Secretary Xavier Becerra. The letter—signed by Sen. Ron Wyden (D-Ore.), Rep. Pramila Jayapal (D-Wash.), and Rep. Sara Jacobs (D-Calif.)—said their investigation pulled information from briefings with eight big prescription drug suppliers.
All eight of the pharmacies said they do not require law enforcement to have a warrant prior to sharing private and sensitive medical records, which can include the prescription drugs a person used or uses and their medical conditions. Instead, all the pharmacies hand over such information with nothing more than a subpoena, which can be issued by government agencies and does not require review or approval by a judge.
[...] For now, HIPAA regulations grant patients the right to know who is accessing their health records. But, to do so, patients have to specifically request that information—and almost no one does that. "Last year, CVS Health, the largest pharmacy in the nation by total prescription revenue, only received a single-digit number of such consumer requests," the lawmakers noted.
"The average American is likely unaware that this is even a problem," the lawmakers said.
Originally spotted on Schneier on Security.
Related:
- Websites Selling Abortion Pills are Sharing Sensitive Data With Google
- Meta Faces Lawsuit for Allegedly Collecting Patient Health Data Without Consent
- Google has Access to Detailed Health Records on Tens of Millions of Americans
(Score: 5, Interesting) by Runaway1956 on Thursday August 04 2022, @12:38AM (2 children)
Intentionally violating HIPAA regulations? This doesn't warrant a 5 million dollar fine. It doesn't warrant a 50 million dollar fine. Let's jump two more orders of magnitude, and start considerations at 5 billion dollars. I'll entertain the idea of bumping that up to 50 billion. Congress needs to get involved, hold another hearing or six, and get in on burning everyone, including Zuch, all executives who have ever touched the medical data collection, and the company. Name and shame everyone, and punish them like rented mules. Then pass laws that will make my 50 billion dollar fine suggestion above look like child's play.
Just fucking BURN THEM!
(Score: 4, Insightful) by Anonymous Coward on Thursday August 04 2022, @05:22AM
(Score: 4, Funny) by Opportunist on Thursday August 04 2022, @06:57AM
They could crucify Zuck and put it on Twitch to recover the cost.
I'm fairly sure people would want to pay good money to see that.
(Score: 3, Insightful) by Barenflimski on Thursday August 04 2022, @05:23AM (3 children)
Fuck Meta.
Fuck Zuck.
The only thing any of these data brokers are good at, is screwing you.
(Score: 2) by NotSanguine on Thursday August 04 2022, @08:16AM (1 child)
And it will be the best 16 seconds of your life -- every time.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by DannyB on Thursday August 04 2022, @02:34PM
As they strive for ever greater performance and efficiency, I'm confident they will improve upon their 16 second time.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by bmimatt on Thursday August 04 2022, @09:22PM
I suppose it's safe to assume here, that the 'pixel' (javascript) is reading all form data and possibly other DOM elements. Could it just grab the whole DOM? Probably. Likely. Certainly, since it's Zuckface's 'product'.
(Score: 5, Interesting) by mth on Thursday August 04 2022, @09:29AM (3 children)
This is wrong on so many levels.
My first reaction was that it's the hospital's fault for having a tracking pixel on their site in the first place. They are supposed to handle their patients' data carefully and sending any kind of patient data to Meta conflicts with that. I still think they're the main culprit here.
Reading the articles, it seems though that Meta was aware of sensitive data being sent their way and instead of telling the hospitals to stop doing that and discarding all data sent by the hospitals, they implemented a filter which doesn't actually guarantee that no senstive data is stored but gives them a way to pretend that they care. I hope the judge will see through that.
Then I wondered how the tracking pixel got on the hospital portals. Apparently it was part of an ad integration, but why are hospitals running ads on their patient portals? The heavy commercialization of health care looks like an underlying cause, a pre-existing condition if you will.
(Score: 2) by DannyB on Thursday August 04 2022, @02:37PM (2 children)
To avoid conflict of interest do not allow medical advice, doctors or drugs to be advertised on hospital portals.
Problem fixed.
Now ads on hospital portals will look like:
Have you been injured in an accident? Do you need help in recovering damages you are owed by the party who caused you harm?
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Thursday August 04 2022, @08:43PM (1 child)
Hey, you saw the same ad I did from the law firm of Dewey, Cheatum, and Howe!
(Score: 2) by jb on Friday August 05 2022, @04:26AM
Must have had a change of partners recently then. I seem to recall the firm as Billem, Cheatham & Lye.