A device installed on hospital websites has been collecting patients’ sensitive health information including details of their medical conditions, prescriptions, and doctor’s appointments, and sending them to Facebook. Facebook asked several U.S hospitals to share data about their patients, such as illnesses and prescription information, Facebook intends to match it up with user data it had collected and assist the hospitals to figure out which patients need special care. Though the Facebook spokesperson stated to CNBC that they have not received any data since the plan has not progressed yet.
But last month, the company met with several health organizations, including Stanford Medical School and the American College of Cardiology, about signing the data-sharing agreement. This data will contain the patients’ personal information, such as the patients’ names, and Facebook username and a technique called “hashing” will be used to match individuals who existed in both sets. This issue has been a thing of concern after Cambridge Analytical, a political research organization that worked for Donald Trump, got a hold of detailed information, about Facebook users without their permission and he tried to use the data to target political ads to them.
Facebook responded on Wednesday that as many as an 87million people’s data might have been shared this way. The company has announced their new privacy policies and controls meant to restrict the type of data it collects and shares, and how that data can be used.
The Markup tested the websites of the top 100 hospitals in America and found that 33 of them have the tracker called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address and can generally be linked to a specific individual or household – creating an intimate receipt of the appointment request for Facebook.
On the website of Cleveland Medical Centre, for example, clicking the “Schedule Online” button on a doctor’s page prompted the Metal Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: ” pregnancy termination”.
The Markup also found Meta Pixel installed inside the password-protected patient portals of seven health systems on the five systems pages, we documented the pixel sending Facebook sensitive information about real patients who volunteered to participate in the Pixel Hunt Project, a collaboration between the Markup and Mozilla Rally. The data sent to hospitals included the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.
This calls for a cause of concern about what the hospital is doing with patient’s information and sharing of it. “said David Holtzman, a health privacy adviser in the U.S Dept of Health and Human Services’ office for Civil Rights, which enforces HIPAA.
University Hospital, Cleveland Medical Centre spokesperson George Stamatis didn’t respond to the Markup’s questions but said in a brief statement that the hospital comports with all applicable federal and state laws and regulatory requirements.”
After the Markup’s findings, Froedtert hospital has removed the Meta Pixel from its website ” out of an abundance of caution, ” Steve Schooff, a spokesperson for the hospital, wrote in a statement. As of June, 15 other hospitals followed suit and removed pixels from their appointment booking pages.
Facebook is not subject to HIPAA, but it has been interviewed by experts because the story is a source of concern. Markup has been unable to ascertain if Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways. Markup is yet to confirm if any data referenced in this story was removed before being stored by Meta.
THIS COULD BRING SHOCK TO THE PATIENT
The Meta Pixel is a snippet of code, it tracks users as they navigate through a website, logging which pages they visit, which buttons they click, and certain information they enter into forms. It’s one of the prolific tracking tools on the internet.
Patients would be shocked to find out that Facebook is being provided with an easy way to associate their prescriptions with their name; said Glenn Cohen, Faculty Director of Harvard Law School’s Petrie – Flom Centre for Health Law Policy, Biotechnology, and Bioethics. This is totally not acceptable for patients, this is not what they expect from health privacy laws.
Facebook’s data collection on hospital websites has been the subject of class-action lawsuits in several states, with mixed results. Those cases involve types of data that health law experts said are sensitive but less regulated than health information. The Markup documented the Meta Pixel collected, one such case is in 2016, a group of plaintiffs sued Facebook and a handful of health systems and organizations alleging that the organization had breached their privacy policies and several state and federal laws including wiretapping and intrusion on seclusion statutes by collecting data via tracking technology on the health care providers websites and other similar cases also.