Meta is facing growing questions about its access to sensitive medical data after a Markup investigation found that the company’s pixel tracking tool collected details about patients’ doctor appointments, prescriptions and health status on hospital websites.
During a Sept. 14 Senate Homeland Security and Governmental Affairs Committee hearing, Sen. Jon Ossoff (D-Ga.) demanded that Meta — the parent company of Facebook and Instagram — provide a “comprehensive and accurate” accounting of the medical information it stores the users.
“There has been considerable public reporting, controversy and concern about the Meta Pixel product and the possibility that its deployment on the websites of various hospital systems, for example, allowed Meta to collect private health care data,” Ossoff said.
“We need to understand, as the US Congress, whether or not Meta collects, has access to, or stores medical or health data about US individuals,” he added.
In response to Ossoff’s question about whether Meta has medical or health data about its users, Meta chief product officer Chris Cox replied, “No, to my knowledge.” Cox also promised to follow up with a written response to the committee.
In June, The Markup reported that Meta Pixels on the websites of 33 of Newsweek’s top 100 hospitals in America were transmitting details of doctor appointments to Meta patients when the patients booked on the websites. We also found Meta Pixels in the password-protected patient portals of seven health systems collecting data on patients’ prescriptions, sexual orientation and health status.
Former regulators told The Markup that hospitals’ use of the pixel may have violated Health Information Portability and Accountability Act (HIPAA) prohibitions against sharing protected health information.
“Advertisers should not send sensitive information about people through our business tools,” Meta spokesman Dale Hogan wrote to The Markup in an emailed statement. “This is against our policies and we are training advertisers on how to properly set up business tools to prevent this from happening.” Our system is designed to filter out potentially sensitive data that it can detect.”
Following The Markup’s investigation:
- As of September 15, 28 of the 33 hospitals had removed the Meta Pixel from their doctor booking pages or blocked it from sending patient information to Facebook. At least six of the seven health systems have also removed pixels from their patient portals. Markup reached out to institutions that removed the pixel from their websites following our investigation published in June. As of press time, three institutions — Sanford Health, El Camino Health and Henry Ford Health — have responded. Read their statements here.
- One health system, North Carolina-based Novant Health, sent data breach notices to 3 million customers after The Markup’s report. In the breach notification, Novant Health said the pixel was added as part of a promotional campaign to encourage use of Novant’s MyChart patient portal, but “the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta.” On Sept. 16, Novant amended its data breach notification post to indicate that Meta informed the provider that it “generally” filters sensitive patient medical information and that “there is no information to return or destroy.”
- The North Carolina attorney general’s office said it is “actively investigating” the hospitals’ data sharing after calls from state lawmakers for an investigation.
- At least five class-action lawsuits have been filed against Meta, alleging that its collection of pixel data on hospital websites violates various state and federal laws. One filed against the company on behalf of a Baltimore-based MedStar Health System patient alleges that Meta Pixels collected patient information from at least 664 different hospital websites. The other lawsuits were filed on behalf of Novant Health patients and hospitals in San Francisco, Los Angeles and Chicago.
Meanwhile, developments in another court case suggest that Meta may have difficulty providing a Senate committee with full information about the sensitive health data it stores on users.
In March, two Meta employees testifying in a trial over the Cambridge Analytica scandal told the US District Court for the Northern District of California that it would be very difficult for the company to track all the data associated with a single user account.
“It’s going to take multiple teams on the advertising side to track exactly where the data is flowing,” said one Facebook engineer, according to the transcript, which was first reported by The Intercept. “I would be surprised if there is even one person who can answer this narrow question definitively.”
The engineers’ comments echo the same concerns expressed in a 2021 privacy memo written by Facebook engineers that was leaked to Vice.
“We do not have an adequate level of control and explainability of how our systems use data, and thus cannot confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purposes,'” the authors wrote in the memo.
This article is co-published with The Markup, a nonprofit newsroom that explores how powerful institutions are using technology to change our society. Subscribe to his newsletters here.