Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Monday June 20 2022, @06:08PM   Printer-friendly
from the Mark-Zuckerberg,-M.D. dept.

Experts say some hospitals' use of an ad tracking tool may violate a federal law protecting health information :

A tracking tool installed on many hospitals' websites has been collecting patients' sensitive health information—including details about their medical conditions, prescriptions, and doctor's appointments—and sending it to Facebook. The Markup tested the websites of Newsweek's top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor's appointment. The data is connected to an IP address—an identifier that's like a computer's mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.

[...] The Meta Pixel sends information to Facebook via scripts running in a person's internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household.

HIPAA lists IP addresses as one of the 18 identifiers that, when linked to information about a person's health conditions, care, or payment, can qualify the data as protected health information. Unlike anonymized or aggregate health data, hospitals can't share protected health information with third parties except under the strict terms of business associate agreements that restrict how the data can be used.

In addition, if a patient is logged in to Facebook when they visit a hospital's website where a Meta Pixel is installed, some browsers will attach third-party cookies—another tracking mechanism—that allow Meta to link pixel data to specific Facebook accounts.

[...] Houston Methodist Hospital, in Texas, was the only institution to provide detailed responses to The Markup's questions. The hospital began using the pixel in 2017, spokesperson Stefanie Asin wrote, and is "confident" in Facebook's safeguards and that the data being shared isn't protected health information.

[...] Asin added that Houston Methodist believes Facebook "uses tools to detect and reject any health information, providing a barrier that prevents passage of [protected health information]."

[...] "The evil genius of Facebook's system is they create this little piece of code that does the snooping for them and then they just put it out into the universe and Facebook can try to claim plausible deniability," said Alan Butler, executive director of the Electronic Privacy Information Center. "The fact that this is out there in the wild on the websites of hospitals is evidence of how broken the rules are."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Nofsck Ingcloo on Monday June 20 2022, @07:58PM (12 children)

    by Nofsck Ingcloo (5242) on Monday June 20 2022, @07:58PM (#1254719)

    What the hell is a hospital doing with trackers on its site? Somebody needs to be strung up by their heels for this.

    --
    1984 was not written as an instruction manual.
    Starting Score:    1  point
    Moderation   +4  
       Insightful=3, Interesting=1, Total=4
    Extra 'Insightful' Modifier   0  

    Total Score:   5  
  • (Score: 3, Touché) by Rosco P. Coltrane on Monday June 20 2022, @08:09PM (9 children)

    by Rosco P. Coltrane (4757) on Monday June 20 2022, @08:09PM (#1254723)

    Haven't you heard? Health is for-profit in the US.

    • (Score: 4, Interesting) by looorg on Monday June 20 2022, @08:19PM (5 children)

      by looorg (578) on Monday June 20 2022, @08:19PM (#1254726)

      So do US hospitals serve ads on their webpages? After all they do apparently need to monetize all their customers to get the maximum $ out of everyone. Do you get a discount if you watch a few ads for medication that the doctors can prescribe to you later?

      Anyhow. That said even here over in Socialist-"free-healthcare"-Europe hospitals and private practice medical providers have fallen into the same traps...

      https://www.dataguidance.com/news/sweden-imy-launches-investigation-kry-data-breach [dataguidance.com]
      https://sverigesradio.se/artikel/kry-lanserade-saker-tjanst-lackte-till-facebook [sverigesradio.se]
      https://www.tellerreport.com/news/2022-05-27-the-kry-connect-healthcare-service-leaked-personal-data-to-facebook.B14evaCpD5.html [tellerreport.com]

      I guess it's the backside of when you try to turn visits to the doctor into an APP service in your phone ...

      • (Score: 3, Interesting) by Rosco P. Coltrane on Monday June 20 2022, @08:24PM (3 children)

        by Rosco P. Coltrane (4757) on Monday June 20 2022, @08:24PM (#1254730)

        Well you ain't half wrong there: if you use an app on your phone to do anything health-related, Google or Apple probably know everything there is to know about your condition anyway.

        • (Score: 2) by FatPhil on Tuesday June 21 2022, @05:47AM (1 child)

          by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday June 21 2022, @05:47AM (#1254825) Homepage
          You seem butthurt - do you need some cream [click here] ?
          --
          Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
          • (Score: 2) by Freeman on Tuesday June 21 2022, @03:24PM

            by Freeman (732) on Tuesday June 21 2022, @03:24PM (#1254922) Journal

            Engorge!

            --
            Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
        • (Score: 2) by choose another one on Tuesday June 21 2022, @11:24AM

          by choose another one (515) Subscriber Badge on Tuesday June 21 2022, @11:24AM (#1254857)

          "Probably know" - really ?

          Facebook's ad algorithm clearly knew about my wife's cancer before we'd even told half the family (and we never posted about it on social media - she's in so many groups and has so many "friends" we couldn't have handled the incoming, house looked like a florists within a week just on word of mouth). Took it maybe a week or two to narrow it down form general cancer stuff to obviously having identified type of cancer and that it was family/partner who was diagnosed.

      • (Score: 2) by Spamalope on Tuesday June 21 2022, @01:50AM

        by Spamalope (5233) on Tuesday June 21 2022, @01:50AM (#1254797) Homepage

        Want to see the directory of doctors that take your insurance? Behind a script that verifies no privacy measures or it errors out.
        Lab results?
        Appointment scheduling?
        Prescription refills?
        I've got an air gapped PC just for that now. I'm shocked they don't just go ahead and require a social media login to access your medical info.

    • (Score: 2) by PiMuNu on Tuesday June 21 2022, @09:50AM (2 children)

      by PiMuNu (3823) on Tuesday June 21 2022, @09:50AM (#1254850)

      NHS is also guilty here in UK. Indeed we are also selling our personal medical data to Palantir, an evil data analytics firm.

      (Palantir: seeing stone used to drive Denethor to madness, attempted filicide and eventual suicide. Who chose that name?)

      • (Score: 3, Insightful) by choose another one on Tuesday June 21 2022, @11:29AM

        by choose another one (515) Subscriber Badge on Tuesday June 21 2022, @11:29AM (#1254859)

        "Who chose that name"

        The one algorithm that binds them in the darkness.

      • (Score: 0) by Anonymous Coward on Tuesday June 21 2022, @02:12PM

        by Anonymous Coward on Tuesday June 21 2022, @02:12PM (#1254891)

        I was at their office once and interviewed for a position and while small talking I asked who the big Lord of the Rings fan was. They didn't even understand the question. The HR drones looked confused and the tech staff didn't understand it either. So I guess most of the people there doesn't even know what or where the name comes from. Best guess? Peter Thiel?

  • (Score: 2) by arslan on Tuesday June 21 2022, @01:30AM (1 child)

    by arslan (3462) on Tuesday June 21 2022, @01:30AM (#1254795)

    Like everything else, IT solutions are likely outsourced and the core is re-used over and over with some cosmetic changes. In theory, their cyber sec/in-house IT should be running some cyber pen. tests before going live but that could also be outsourced, potentially to the same vendor even.

    Harvard business school 101: outsource to the cheapest or most "cost-effective"* tender

    *cost-effective as in how those cost turn into "benefits" for stakeholders.

    • (Score: 5, Informative) by FatPhil on Tuesday June 21 2022, @05:58AM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday June 21 2022, @05:58AM (#1254829) Homepage
      It's not about pen testing, it's simple egress testing - no contact at all should be made to any 3rd party site for any reason at all. Even social media icons should be locally hosted. And all non-local links should use noreferer blocking.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves