Meta, the parent company of Facebook and Instagram, is being quizzed over its access to sensitive medical data after an investigation by Markup – an NPO newsroom that tracks how powerful institutions use technology to change society –found the company’s pixel tracking tool collecting details about patients’ doctor’s appointments, prescriptions, and health conditions on hospital websites.
During a Senate Homeland Security and Governmental Affairs Committee hearing on 14 September, Sen. Jon Ossoff asked Meta to provide a “comprehensive and precise” accounting of the medical information it keeps on users.
“There’s been substantial public reporting, controversy, and concern about the Meta Pixel product and the possibility that its deployment on various hospital systems’ websites, for example, has enabled Meta to collect private healthcare data,” Ossoff said.
In response to his question about whether Meta has medical or healthcare data about its users, Meta chief product officer Chris Cox said, “Not to my knowledge,” reports STAT.
In June, The Markup reported that Meta Pixels, on the websites of 33 of Newsweek’s top 100 hospitals in America, were transmitting the details of patients’ doctor’s appointments to Meta when patients booked on the websites. It also found Meta Pixels inside the password-protected patient portals of seven health systems collecting data about patients’ prescriptions, sexual orientation, and health conditions.
Former regulators told The Markup that the hospitals’ use of the pixel might have violated the Health Information Portability and Accountability Act (HIPAA) prohibitions against sharing protected health information.
Since The Markup’s investigation:
• Since last week (15 September), 28 of the 33 hospitals have removed the Meta Pixel from their doctor booking pages or blocked it from sending patient information to Facebook. At least six of the seven health systems had also removed the pixels from their patient portals.
• One health system, North Carolina-based Novant Health, mailed data breach notifications to 3m customers after The Markup’s report. In the breach notification, Novant Health said the pixel was added as part of a promotional campaign to encourage use of Novant’s MyChart patient portal, but “it was configured incorrectly and may have allowed certain private information to be transmitted to Meta”. On 16 Sept. 16, Novant amended its data breach notification post to state that Meta informed the provider that it “generally” filtered out patients’ sensitive medical information and that it did “not have information to return or destroy”.
• The North Carolina attorney general’s office said it was “actively investigating” the hospitals’ data-sharing after calls from state lawmakers for a probe.
• At least five class-action lawsuits have been filed against Meta contending that the pixel’s data collection on hospital websites broke various state and federal laws. One, filed against the company on behalf of a Baltimore-based MedStar Health System patient, claims that Meta Pixels collected patient information from at least 664 different hospitals’ websites. The other lawsuits were brought on behalf of patients of Novant Health and hospitals in San Francisco, Los Angeles, and Chicago.
Meanwhile, developments in another legal case suggest Meta may have a hard time providing the Senate committee with a complete account of the sensitive health data it holds on users.
In March, two Meta employees testifying in another case told the District Court for the Northern District of California that it would be very difficult for the company to track down all data associated with a single user account.
“It would take multiple teams on the ad side to track down exactly where the data flows,” one Facebook engineer said. “I would be surprised if there’s even a single person who can answer that narrow question conclusively.”
The engineers’ comments echo the same worries expressed in a 2021 privacy memo written by Facebook engineers that was leaked.
“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose’,” the memo’s authors wrote.
See more from MedicalBrief archives:
Medical providers most likely to be the culprits in health data breaches
Healthcare ‘particularly vulnerable’ to ransomware attack
POPIA is coming into force – are you ready?
US patients’ new electronic access to records hits snags