Facebook, which remains one of the most well-known social networks, has access to sensitive personal data and medical information sent directly from hospital websites, according to the latest available findings.
The Markup, a media organization that investigates how powerful institutions use technology to change our society, tested the websites of the top 100 hospitals in the U.S. and found that on 33 of them, the Meta Pixel tracking tool sends data to Facebook every time a visitor tries to schedule a doctor’s appointment. This gives Facebook access to information such as the doctor’s name, the planned procedure (e.g., abortion), the names of medications and their dosages, information about scheduled medical appointments, and even data regarding the patient’s sexual orientation.
Meta Pixel sends information to Facebook via code embedded in the user’s web browser, so that each data set is tagged with an IP address, which—when combined with other data—can be used to identify an individual or a household.
According to many experts, these findings lead to the conclusion that the hospitals in question violated the federal Health Insurance Portability and Accountability Act of 1996 (Health Insurance Portability and Accountability Act of 1996—HIPAA). The law prohibits “covered entities”—which include hospitals—from disclosing protected health information to third parties such as Facebook, unless the affected individual has given explicit consent or a cooperation agreement has been concluded with business partners. The term “protected health information” is interpreted quite broadly and includes all information held by a covered entity that relates to health status, the provision of health care, or health care payments, and that can be linked to any individual.
The Markup found no evidence that a contract had been entered into between the hospital and Meta, or that the hospital or Meta had obtained consent from the individuals concerned to disclose protected health information. Nevertheless, most of the hospitals involved deny violating federal law. Following the publication of The Markup’s findings, the hospitals began proactively removing metapixels from their websites.
Privacy experts, concerned about the leak of protected health information, fear that Facebook will use the sensitive health data it collects—as it often does—for its own profit. Dale Hogan, a spokesperson for Facebook’s parent company, Meta, responded to the situation by paraphrasing the company’s privacy policy: “If Meta’s signal filtering systems detect that a business is sending potentially sensitive health data from its app or website through the use of Meta Business Tools—which in some cases may happen by mistake— this potentially sensitive data will be removed before it can be stored in our advertising systems.”
However, Facebook employees themselves have often stated, with regard to personal data protection, that “we do not have a sufficient level of control over how our systems use data, and therefore we cannot with certainty make external commitments such as ‘we will not use data X for purpose Y.’”
As for the potential consequences, a breach of protected health information can have a significant negative impact on both patients and the hospitals themselves. An extreme consequence can be health identity theft, which is an even bigger problem in the United States, where health insurance is paid for by the patients themselves. Most policyholders do not realize they have been victims of health identity theft until they receive bills from creditors for expenses that thieves incurred in their name. Cases of health identity theft have been on the rise in recent years, and it is an extremely dangerous form of identity theft that is difficult to detect. Health insurance identity theft can have significant financial consequences for patients, who may be required to reimburse health insurance companies for bills issued in their name.
Data breaches by hospitals constitute a serious violation of federal law, for which hospitals face astronomical fines that could be ruinous for some hospitals. Another significant consequence is the loss of patient trust in the healthcare provided by the hospitals in question, and the resulting shift of patients to competitors can also be devastating for the hospital. Nowadays, reputational damage is comparable to, if not more significant than, economic damage.
As we can see from the case mentioned above, personal data is a lucrative commodity in today’s internet age. That is why protecting personal data is so important, and why it is crucial to ensure that our personal data does not end up in the wrong hands.
SOURCES:
https://gdprbuzz.com/news/facebook-hospital-websites/ https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites https://www.cdc.gov/phlp/publications/topic/hipaa.html#privacy-rule https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
https://www.experian.com/assets/data-breach/white-papers/consequences-medical-id-theft-healthcare.pdf
