An investigation has revealed that Facebook is receiving personal patient information from roughly a third of the top U.S. hosipital’s websites. The information collected by Facebook includes information regarding medical conditions, prescriptions, and clinical visits.
The data is gathered through a tracking tool called the Meta Pixel. Meta Pixel is used to ensure advertisements are targeted to the correct users and monitor the performance of the advertisements. However, in this circumstance, the tool has gained access to too much information. When a user clicks a button to book an appointment with their doctor, the information is sent to Facebook via the tracking tool. The information is associated with the person’s IP address and creates a receipt for the appointment application to send to Facebook.
The report was published by The Markup in collaboration with STAT. The report found that the Meta Pixel had been installed in 33% of the top U.S. hospitals’ websites. The hospitals found with the Meta Pixel include Johns Hopkins Hospital, UCLA Reagan Medical Center, New York Presbyterian Hospital, Northwestern Memorial Hospital, and Duke University Hospital. Furthermore, The Markup also found the tool was embedded within password-protected patient portals of seven healthcare institutions. The Markup also found that the tracking tool had access to password-protected patient portals in 7 of the hospital’s websites examined.
The Markup contends that the guilty hospitals may be in violation of HIPAA. According to HIPAA regulations, hospitals are not allowed to provide Facebook with access to patient personal information without first obtaining a Business Associate Agreement and the patient’s permission. Before disclosing the patient data, no hospital had a contract in place.
The Markup stated that Meta Pixel has access to almost 26 million medical admissions and outpatient visits in the study for the year 2020. The top 100 hospitals in the US were the only ones included in the survey. The researchers think that many additional hospitals are giving Facebook permission to use Meta Pixel. The report was unable to confirm whether Facebook had used the information they received. Dale Horgan, a Facebook spokesperson, denies any wrongdoing, “If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems”.