Facebook is receiving sensitive medical information from hospital websites

A tracking tool installed on many hospitals' websites has been collecting patients' sensitive health information and sending it to Facebook.

Newsweek has a list of the top 100 hospitals in the US. When a person clicks a button to schedule a doctor's appointment, a packet of data is sent to Facebook. An intimate receipt of the appointment request for Facebook can be created if the data is connected to a specific person or household.

On the website of University Hospitals Cleveland Medical Center, for example, clicking the “Schedule Online” button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: “pregnancy termination.”

The text of the button, the doctor's name, and the condition we chose from a menu were sent to Facebook by the MetaPixel.

The password protected patient portals of seven health systems were found by the Markup. We documented the data that was sent to Facebook from the patients who volunteered to participate in the project. The project is a crowd-sourced undertaking in which anyone can install the add-on on their browser in order to send the data to the MetaPixel. The data sent to hospitals included the names of patients' medications, descriptions of their allergic reactions, and information about their doctor's appointments.

Advertisement

According to former regulators, health data security experts, and privacy advocates, the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act. Hospitals and other covered entities are not allowed to share personally identifiable health information with third parties unless an individual has consented in advance.

The hospitals and Meta didn't say they had such contracts in place, and The Markup didn't find evidence that the hospitals or Meta were getting patients' express consent.

David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services, said he was troubled by what the hospitals were doing with their data. I don't know if sharing this data is for a violation of the Health Insurance Portability and Accountability Act. It is probably a violation of the health care law.

George Stamatis, a University Hospitals Cleveland Medical Center spokesman, said in a statement that the hospital complies with all applicable federal and state laws.

Steve Schooff, a spokesman for the hospital, wrote in a statement that the MetaPixel was removed out of an abundance of caution.

At least five of the seven health systems that had MetaPixels installed in their patient portals had removed the images from their booking pages.

According to the most recent data available from the American Hospital Association, more than 26 million patient admissions and outpatient visits were reported by 33 hospitals in 2020. Our investigation was limited to just over 100 hospitals and the data sharing likely affects many more patients.

The experts interviewed for this story expressed concerns about how the advertising giant might use the data it gathers for its own benefit.

Nicholson Price is a University of Michigan law professor who studies big data and health care. From the point of view of the hospitals, this is problematic.

The data could not be determined if Facebook used it to target advertisements, train its recommendation algorithm, or make money.