Facebook is accessing your medical data
Facebook and businesses can easily have a mutually advantageous relationship, but what about Facebook and hospitals? Where’s the interest there?
It’s not obvious, but it must exist, otherwise, hospitals would not be using Meta Pixel (formerly known as Facebook Pixel) to track patients’ doctors appointments, medical inquiries they make, and sometimes even the medications they take.
According to a new report in The Markup, fully a third of the United States’ top 100 hospitals (as listed by Newsweek) use Meta Pixel to track patient data. Meta Pixel is free to use and easy to install. It’s also invisible on the website, although if you know how to look for it, you can find it. Website owners can use it to track visitors, note which pages they open, which buttons they click, and also the information they enter in the forms they fill out. In return for providing the websites with this nifty tool, Facebook is granted access to the data, which includes the IP addresses of the website visitors, from which it is relatively easy to figure out physical addresses and identities.
The website owner gains again when Facebook reports back on the ads they pitched to their site visitors. Ads based on which type of blood pressure medication you take? Sure, why not (?) Ads based on the abortion provider you were investigating? Most people would be horrified to know that Facebook is being granted access to this kind of information, but it is happening, constantly.
What’s more, in at least five hospitals it’s even happening within password-protected patient portals.
Is it illegal? Quite possibly. According to The Markup, hospitals may have violated the federal Health Insurance Portability and Accountability Act (HIPAA), a law that prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts.
Neither the hospitals contacted nor Meta itself reported that they had such contracts in place, nor is there any evidence that patients’ consent is sought, let alone granted.
Examples of Meta Pixel data transfer provided by The Markup include University Hospitals Cleveland Medical Center's website. Clicking a button to schedule an appointment caused the Metal Pixel to send Facebook the doctor’s name and the search term the patient used – in the case described, it was “pregnancy termination.”
Novant Health in North Carolina uses Meta Pixel in its “MyChart” portal. When tested, Pixel told Facebook the name and dosage of a medication in a patient’s health records, along with notes entered about the prescription. Pixel also told Facebook which button was clicked in response to a question about sexual orientation.
“Our Meta Pixel placement is guided by a third party vendor and it has been removed while we continue to look into this matter,” Novant spokesperson Megan Rivers wrote in an email.
Froedtert Hospital in Wisconsin was also quick to take action after being alerted to the issue by The Markup, which told the hospital how its test showed that clicking a button on its website prompted Meta Pixel to send Facebook the name of the patient’s doctor and the search term “Alzheimer’s”. Froedtert Hospital has now removed Meta Pixel from its site “out of an abundance of caution,” said a hospital spokesman.
Other hospitals approached took no action and insisted that they were operating within the law. Most didn’t respond at all.
As for Facebook itself, Meta did not respond directly to The Markup’s questions, instead sending an email describing their policies:
If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems.