Meta is facing mounting questions about its access to sensitive medical data following a Markup investigation that found the company’s pixel tracking tool collecting details about patients’ doctor’s appointments, prescriptions, and health conditions on hospital websites.
During a Senate Homeland Security and Governmental Affairs Committee hearing on Sept. 14, Sen. Jon Ossoff (D-Ga.) requested that Meta — the parent company of Facebook and Instagram — provide a “comprehensive and precise” accounting of the medical information it keeps on users.
“There’s been substantial public reporting, controversy, and concern about the Meta Pixel product and the possibility that its deployment on various hospital systems’ websites, for example, has enabled Meta to collect private health care data,” Ossoff said.
“We need to understand, as the U.S. Congress, whether or not Meta is collecting, has collected, has access to, or is storing, medical or health data for U.S. persons,” he added.
In response to Ossoff’s question about whether Meta has medical or health care data about its users, Meta Chief Product Officer Chris Cox responded, “Not to my knowledge.” Cox also promised to follow up with a written response to the committee.
In June, The Markup reported that Meta Pixels on the websites of 33 of Newsweek’s top 100 hospitals in America were transmitting the details of patients’ doctor’s appointments to Meta when patients booked on the websites. We also found Meta Pixels inside the password-protected patient portals of seven health systems collecting data about patients’ prescriptions, sexual orientation, and health conditions.
Former regulators told The Markup that the hospitals’ use of the pixel may have violated the Health Information Portability and Accountability Act (HIPAA) prohibitions against sharing protected health information.
“Advertisers should not send sensitive information about people through our Business Tools,” Meta spokesperson Dale Hogan wrote to The Markup in an emailed statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Since The Markup’s investigation:
- As of Sept. 15, 28 of the 33 hospitals have removed the Meta Pixel from their doctor booking pages or blocked it from sending patient information to Facebook. At least six of the seven health systems had also removed the pixels from their patient portals. The Markup reached out to the institutions that removed the pixel from their websites after our investigation published in June. As of press time, three institutions — Sanford Health, El Camino Health, and Henry Ford Health — had responded. Read their statements here.
- One health system, North Carolina-based Novant Health, mailed data breach notifications to 3 million customers following The Markup’s report. In the breach notification, Novant Health stated the pixel was added as part of a promotional campaign to encourage use of Novant’s MyChart patient portal, but “the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta.” On Sept. 16, Novant amended its data breach notification post to state that Meta informed the provider that it “generally” filtered out patients’ sensitive medical information and that it did “not have information to return or destroy.”
- The North Carolina attorney general’s office stated it was “actively investigating” the hospitals’ data sharing after calls from state lawmakers for a probe.
- At least five class-action lawsuits have been filed against Meta contending that the pixel’s data collection on hospital websites broke various state and federal laws. One, filed against the company on behalf of a Baltimore-based MedStar Health System patient, claims that Meta Pixels collected patient information from at least 664 different hospitals’ websites. The other lawsuits were brought on behalf of patients of Novant Health and hospitals in San Francisco, Los Angeles, and Chicago.
Meanwhile, developments in another legal case suggest Meta may have a hard time providing the Senate committee with a complete account of the sensitive health data it holds on users.
In March, two Meta employees testifying in a case about the Cambridge Analytica scandal told the U.S. District Court for the Northern District of California that it would be very difficult for the company to track down all the data associated with a single user account.
“It would take multiple teams on the ad side to track down exactly the—where the data flows,” one Facebook engineer said, according to the transcript, which was first reported by The Intercept. “I would be surprised if there’s even a single person that can answer that narrow question conclusively.”
The engineers’ comments echo the same worries expressed in a 2021 privacy memo written by Facebook engineers that was leaked to Vice.
“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose,’” the memo’s authors wrote.
This article was co-published with The Markup, a nonprofit newsroom that investigates how powerful institutions are using technology to change our society. Sign up for its newsletters here.