Facebook has been caught, once again, in the act. A recent survey conducted by markup reveals that the company used Internet tracers – the famous cookies – to by redirecting confidential patient data to its own servers. Among this information, they would have collected prescriptions, doctor’s appointments and even illnesses.
In the investigation, the aforementioned media considered the top 100 hospitals in the United States. The result was surprising, since a third of them were followed by the company. Specifically, the tracker was found in 33, under the name Meta Pixel.
What exactly does Facebook do? It creates a kind of “receipt” with the information provided by the person. Of course, this receipt is attached to the unique IP address of the computer or device from which the request is issued. In this way, Facebook not only extracted data relating to appointments, but also the location data of the requestor.
Facebook tracker put to the test
markup comment on the results of a test using the Cleveland University Hospital Medical Center website. The report states that when trying to view a doctor’s availability schedule on the platform, the Meta Pixel tracker was automatically activated. Thus, he not only sent the data entered in the appointment form, but also the name of the health professional, as well as the terms used to find it on the internet. For the example, they used the words “termination of pregnancy”.
This same procedure was performed at the Froedtert Hospital site in Wisconsin. On this occasion, the crawler sent to Facebook the text of the form, the name of the healthcare professional and the disease reported. For this other example, Alzheimer’s disease was used.
On five of these systems’ pages, we document the submission of Facebook pixel data on actual patients who volunteered to participate in Project Pixel Hunt, a collaboration between markup et Mozilla Rally.
Data sent to hospitals included the names of patients’ medications, descriptions of their allergic reactions and details of their upcoming medical appointments.
Meta Pixel also wants passwords
But the story does not end there. According to reports, the Facebook tracker was also found in passwords supposedly protected patient passwords. Of the 100 hospitals examined, this vulnerability was discovered in 7 of them.
However, both hospitals and Meta claimed not to have a contract of any kind in place. In addition, markup found no evidence to suggest users’ consent to be tracked by Meta Pixel, suggesting that this may be a violation of the Health Insurance Portability and Accountability Act (HIPAA) on the part of hospitals.
“I am deeply concerned about what hospitals are doing with data capture and sharing. I can’t say that sharing this data is for sure a violation of HIPAA, but it is very likely that it is. »
David Holtzman, Healthcare Privacy Consultant.
Many hospitals did not respond
Of course, after this discovery, markup decided to inform the hospitals in question of the existence of the Meta Pixel tracker. However, the most of them refrained from providing an answer.
However, before June 15, six hospitals had already removed the tracker from their website. Five of the other seven health systems that had Facebook’s Meta Pixel installed also found ways to remove it from their platforms.
This is an extreme example of the reach of the tentacles of big tech companies in what we consider a protected data space. I think it’s scary, problematic and potentially illegal.
Nicholson Price, professor of law at the University of Michigan
Since 2020, the 33 hospitals infected with Meta Pixel have admitted approximately 26 million patients. The number is of course staggering, considering that a large part of this number will have inserted their data from the websites of the various health centers.
Also, markup points out that his search was limited to 100 hospitals. But it is very likely that we will find the Facebook tracker in many, many more countries and even internationally.
–
