This article is copublished with STAT.
Read on our collaborator's site
Meta is facing mounting questions about its access to sensitive medical data following a Markup investigation that found the companyâs pixel tracking tool collecting details about patientsâ doctorâs appointments, prescriptions, and health conditions on hospital websites.
During a Senate Homeland Security and Governmental Affairs Committee hearing on Wednesday, Sen. Jon Ossoff (D-GA) requested that Metaâthe parent company of Facebook and Instagramâprovide a âcomprehensive and preciseâ accounting of the medical information it keeps on users.
âThereâs been substantial public reporting, controversy, and concern about the Meta Pixel product and the possibility that its deployment on various hospital systemsâ websites, for example, has enabled Meta to collect private health care data,â Ossoff said.
âWe need to understand, as the U.S. Congress, whether or not Meta is collecting, has collected, has access to, or is storing, medical or health data for U.S. persons,â he added.
In response to Ossoffâs question about whether Meta has medical or health care data about its users, Meta chief product officer Chris Cox responded, âNot to my knowledge.â Cox also promised to follow up with a written response to the committee.
In June, The Markup reported that Meta Pixels on the websites of 33 of Newsweekâs top 100 hospitals in America were transmitting the details of patientsâ doctorâs appointments to Meta when patients booked on the websites.
We also found Meta Pixels inside the password-protected patient portals of seven health systems collecting data about patientsâ prescriptions, sexual orientation, and health conditions.
Former regulators told The Markup that the hospitalsâ use of the pixel may have violated the Health Information Portability and Accountability Act (HIPAA) prohibitions against sharing protected health information.
âAdvertisers should not send sensitive information about people through our Business Tools,â Meta spokesperson Dale Hogan wrote to The Markup in an emailed statement.
âDoing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.â
Since The Markupâs Investigation:
- As of Sept. 15, 28 of the 33 hospitals have removed the Meta Pixel from their doctor booking pages or blocked it from sending patient information to Facebook. At least six of the seven health systems had also removed the pixels from their patient portals. The Markup reached out to the institutions who removed the pixel from their websites after our investigation published in June. As of press time, three institutionsâSanford Health, El Camino Health, and Henry Ford Healthâhad responded. Read their statements here.
- One health system, North Carolinaâbased Novant Health, mailed data breach notifications to 1.3 million customers following The Markupâs report. In the breach notification, Novant Health stated the pixel was added as part of a promotional campaign to encourage use of Novantâs MyChart patient portal, but âthe pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta.â On Sept. 16, Novant amended its data breach notification post to state that Meta informed the provider that it âgenerallyâ filtered out patientsâ sensitive medical information and that it did ânot have information to return or destroy.â
- The North Carolina attorney generalâs office stated it was âactively investigatingâ the hospitalsâ data sharing after calls from state lawmakers for a probe.
- At least five class action lawsuits have been filed against Meta contending that the pixelâs data collection on hospital websites broke various state and federal laws. One, filed against the company on behalf of a Baltimore-based MedStar Health System patient, claims that Meta Pixels collected patient information from at least 664 different hospitalsâ websites. The other lawsuits were brought on behalf of patients of Novant Health and hospitals in San Francisco, Los Angeles, and Chicago.
âWe Do Not Have an Adequate Level of Controlâ
Meanwhile, developments in another legal case suggest Meta may have a hard time providing the Senate committee with a complete account of the sensitive health data it holds on users.
In March, two Meta employees testifying in a case about the Cambridge Analytica scandal told the U.S. District Court for the Northern District of California that it would be very difficult for the company to track down all the data associated with a single user account.
âIt would take multiple teams on the ad side to track down exactly theâwhere the data flows,â one Facebook engineer said, according to the transcript, which was first reported by The Intercept. âI would be surprised if thereâs even a single person that can answer that narrow question conclusively.â
The engineersâ comments echo the same worries expressed in a 2021 privacy memo written by Facebook engineers that was leaked to Vice.
âWe do not have an adequate level of control and explainability over how our systems use data, and thus we canât confidently make controlled policy changes or external commitments such as âwe will not use X data for Y purpose,âââ the memoâs authors wrote.
This article was copublished with STAT, a national publication that delivers trusted and authoritative journalism about health, medicine, and the life sciences. Sign up for its health tech newsletter, delivered Tuesday and Thursday mornings, here:Â https://www.statnews.com/signup/health-tech/.
Credits: Todd Feathers and Simon Fondrie-Teitler
First published here
Photo by Colin Lloyd on Unsplash