August 12, 2022

Aurich Lawson | Getty Images

A tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook.

The Markup tested the websites of Newsweek’s top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.

On the website of University Hospitals Cleveland Medical Center, for example, clicking the “Schedule Online” button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: “pregnancy termination.”

Clicking the “Schedule Online Now” button for a doctor on the website of Froedtert Hospital, in Wisconsin, prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the condition we selected from a dropdown menu: “Alzheimer’s.”

The Markup also found the Meta Pixel installed inside the password-protected patient portals of seven health systems. On five of those systems’ pages, we documented the pixel sending Facebook data about real patients who volunteered to participate in the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. The project is a crowd-sourced undertaking in which anyone can install Mozilla’s Rally browser add-on in order to send The Markup data on the Meta Pixel as it appears on sites that they visit. The data sent to hospitals included the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts.

Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.

“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it,” said David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA. “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”

University Hospitals Cleveland Medical Center spokesperson George Stamatis did not respond to The Markup’s questions but said in a brief statement that the hospital “comport[s] with all applicable federal and state laws and regulatory requirements.”

After reviewing The Markup’s findings, Froedtert Hospital removed the Meta Pixel from its website “out of an abundance of caution,” Steve Schooff, a spokesperson for the hospital, wrote in a statement.

As of June 15, six other hospitals had also removed pixels from their appointment booking pages and at least five of the seven health systems that had Meta Pixels installed in their patient portals had removed those pixels.

The 33 hospitals The Markup found sending patient appointment details to Facebook collectively reported more than 26 million patient admissions and outpatient visits in 2020, according to the most recent data available from the American Hospital Association. Our investigation was limited to just over 100 hospitals; the data sharing likely affects many more patients and institutions than we identified.

Facebook itself is not subject to HIPAA, but the experts interviewed for this story expressed concerns about how the advertising giant might use the personal health data it’s collecting for its own profit.

“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” said Nicholson Price, a University of Michigan law professor who studies big data and health care. “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view.

The Markup was unable to determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways.

See also  You’ll shoot your eye out: Popped champagne cork ejects CO2 at supersonic speeds