The Markup tested 100 hospital websites and on 33 of them discovered a tracking tool called “Meta Pixel” that collected patients’ sensitive health information, including medical conditions, prescriptions, and medical appointments:
“Clicking the ‘Schedule Online Now’ button for a doctor on the website of Froedtert Hospital, in Wisconsin, prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the condition we selected from a dropdown menu: ‘Alzheimer’s.’”
The Markup said it did not find any instances where patient consent was expressly obtained beforehand.
Experts expressed concern about the privacy implications of the data retrieval.
“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it,” David Holtzman, a former HIPAA senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, said according to The Markup. “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”
While Facebook is not subject to HIPAA, others expressed concern that the tech giant collected the information for its own profit.
“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” Nicholson Price, a University of Michigan law professor, said according to The Markup. “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view.
While Facebook did not respond to The Markup’s request for comment spokesperson Dale Hogan sent an email that paraphrased the company’s health data policy.
“If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems,” Hogan wrote in the email.
Tech companies have long had a troubling history when it comes to the collection of the personal information of users.
“Internal documents from The Journal reportedly revealed that this secret project began last year with the help of Ascension, a Catholic chain of hospitals and related facilities, with the data sharing accelerating since summer.
Executive vice president Eduardo Conrado commented that Ascension ‘must transform to better meet the needs and expectations of those we serve as well as our own caregivers and health-care providers’ as the health-care environment evolves.
But regardless of health crises, it’s unlikely that Americans wittingly asked for their data to be distributed. Indeed, according to The Journal, ‘Neither patients nor doctors have been notified.’”