PSA: Meta/Facebook is extracting private patient information (appointments, procedures, prescriptions, conditions, etc) from hospital websites

[Corraleno]

 

A tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook.

The Markup tested the websites of Newsweek’s top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.

On the website of University Hospitals Cleveland Medical Center, for example, clicking the “Schedule Online” button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: “pregnancy termination.”

Clicking the “Schedule Online Now” button for a doctor on the website of Froedtert Hospital, in Wisconsin, prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the condition we selected from a dropdown menu: “Alzheimer’s.”

The Markup also found the Meta Pixel installed inside the password-protected patient portals of seven health systems. On five of those systems’ pages, we documented the pixel sending Facebook data about real patients who volunteered to participate in the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. The project is a crowd-sourced undertaking in which anyone can install Mozilla’s Rally browser add-on in order to send The Markup data on the Meta Pixel as it appears on sites that they visit. The data sent included the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts.

Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.

“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it,” said David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA. “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”

University Hospitals Cleveland Medical Center spokesperson George Stamatis did not respond to The Markup’s questions but said in a brief statement that the hospital “comport[s] with all applicable federal and state laws and regulatory requirements.”

After reviewing The Markup’s findings, Froedtert Hospital removed the Meta Pixel from its website “out of an abundance of caution,” Steve Schooff, a spokesperson for the hospital, wrote in a statement.

As of June 15, six other hospitals had also removed pixels from their appointment booking pages and at least five of the seven health systems that had Meta Pixels installed in their patient portals had removed those pixels.

The 33 hospitals The Markup found sending patient appointment details to Facebook collectively reported more than 26 million patient admissions and outpatient visits in 2020, according to the most recent data available from the American Hospital Association. Our investigation was limited to just over 100 hospitals; the data sharing likely affects many more patients and institutions than we identified.

Facebook itself is not subject to HIPAA, but the experts interviewed for this story expressed concerns about how the advertising giant might use the personal health data it’s collecting for its own profit.

“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” said Nicholson Price, a University of Michigan law professor who studies big data and health care. “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view.

The Markup was unable to determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways.

[Arcadia]

This link has the list of hospitals https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites

 

 

ETA: @mathnerd El Camino Hospital (page 7) has the meta pixel. Stanford (page 8 ) does not. 

Edited June 17, 2022 by Arcadia
Forgot 8 and ) makes an emoji

[MEmama]

We need a holy f*** emoji.

I mean, it’s not exactly surprising, but it is chilling. And with Roe about to be overturned, don’t think for a minute all this data won’t be used against all women of child incubating age. That means you too, anti choice folks…every miscarriage, every birth defect, every birth control prescription, every confession to your doctor that you had a glass of wine or ate blue cheese while (or MIGHT HAVE BEEN ABLE TO GET) pregnant…. 
 

This isn’t 1973, this is much, much more insidious. 

 

[vonfirmath]

Why did the hospitals send information of any sort to Facebook in the first place? This is baffling

 

[MEmama]

I don’t have FB but I do use Insta and Pinterest. Sort of humorously but very creepily when I was researching hysterectomies I kept getting pop up ads for pregnancy and baby stuff; I laughed at the ineptitude of their algorithms but of course for some people it certainly wouldn’t be funny or appreciated. 

[Arcadia]

1 minute ago, vonfirmath said:

Why did the hospitals send information of any sort to Facebook in the first place? This is baffling

 

They install the Meta Pixel from Facebook on their website. Actually any webpage with the Facebook social media icon also sends data to Facebook 

https://developers.facebook.com/docs/meta-pixel

“The Meta Pixel is a snippet of JavaScript code that allows you to track visitor activity on your website. It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze that effectiveness of your website's conversion funnels.”

[Pawz4me]

37 minutes ago, vonfirmath said:

Why did the hospitals send information of any sort to Facebook in the first place? This is baffling

 

At least one hospital chain is blaming a third party vendor.

[TechWife]

44 minutes ago, Arcadia said:

They install the Meta Pixel from Facebook on their website. Actually any webpage with the Facebook social media icon also sends data to Facebook 

https://developers.facebook.com/docs/meta-pixel

“The Meta Pixel is a snippet of JavaScript code that allows you to track visitor activity on your website. It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze that effectiveness of your website's conversion funnels.”

This is why it’s important not to accept all cookies! Don’t just click on “I accept” and move along. Thanks, EU! 

[Faith-manor]

@#%#&$&%&$&#%#%@$@&#&$&%%@%1&#---&%%& 😠😠😠😠😠😠😠😠😠😠😠

[MEmama]

5 minutes ago, Faith-manor said:

@#%#&$&%&$&#%#%@$@&#&$&%%@%1&#---&%%& 😠😠😠😠😠😠😠😠😠😠😠

Well said 🤣

[Katy]

One of my kids had surgery at one of those hospitals.  Fun.

[Arcadia]

2 minutes ago, Katy said:

One of my kids had surgery at one of those hospitals.  Fun.

It’s their webpages though that has the Facebook meta pixel tracker. My DS16 was born at one of the hospitals affected but everything was done in person.  My appointments are all done over the counter or by phone, can’t make my appointments online (the hospital I go to does not have the tracker anyway).

[WildflowerMom]

Is there an answer to this?   (Not intended to be a stupid question — my brain fog has taken over).  Like would leaving fb help?  Deleting cookies?   Give me a simple answer, if there is one. 

[livetoread]

Not using the website to make appointments sounds like a start. I guess calling like before is the way to go.

[kbutton]

2 hours ago, TechWife said:

This is why it’s important not to accept all cookies! Don’t just click on “I accept” and move along. Thanks, EU! 

Can I just say though that the interface of which cookies to accept or not is not always straightforward? Pet peeve of mine.

[Arcadia]

16 minutes ago, WildflowerMom said:

Is there an answer to this?   (Not intended to be a stupid question — my brain fog has taken over).  Like would leaving fb help?

Leaving Facebook won’t help as the data is sent from the webpages even if you don’t have a Facebook account. 
 

I would call to book appointments or just book the next routine appointment while there. My mammogram, MRI and endocrinologists appointments are all booked a year in advance because they are yearly appointments.

[shawthorne44]

Seems to me that everyone that calls to make an appointment should tell them that the website isn't an option because of the tracking.    If enough people do that, they'll make sure it doesn't happen and put a clear promise on the website that it isn't happening.  There is a cost to them if everyone makes the appointment by phone.  
 

 

[Katy]

1 hour ago, Arcadia said:

It’s their webpages though that has the Facebook meta pixel tracker. My DS16 was born at one of the hospitals affected but everything was done in person.  My appointments are all done over the counter or by phone, can’t make my appointments online (the hospital I go to does not have the tracker anyway).

The thing is you have no idea if the staff portal has tracking too. I worked at a hospital where the charting was through (secure) web forms. They called it intranet not internet, but it absolutely had outside web access in the same browser. 

[Arcadia]

8 minutes ago, Katy said:

. They called it intranet not internet, but it absolutely had outside web access in the same browser. 

Won’t that break HIPAA? 
ETA: I meant in terms of infrastructure. 

Edited June 17, 2022 by Arcadia

[shawthorne44]

I just had a thought.   People aren't allowed to keep stolen goods, even if they paid for them.   

Seems like the same idea could be applied to medical data.   Unless someone consented to that organization having their medical data, then it was effectively stolen from them.   Seems like someone could say, "Delete my data" and the courts should enforce that.   



 

[Katy]

9 minutes ago, Arcadia said:

Won’t that break HIPAA? 
ETA: I meant in terms of infrastructure. 

I would think so but what they already did violated it too I would assume. 

[Arcadia]

5 minutes ago, shawthorne44 said:

I just had a thought.   People aren't allowed to keep stolen goods, even if they paid for them.   

Seems like the same idea could be applied to medical data.   Unless someone consented to that organization having their medical data, then it was effectively stolen from them.   Seems like someone could say, "Delete my data" and the courts should enforce that.   

If you remember the Facebook–Cambridge Analytica data scandal, this data is probably already sold/shared and not just kept in house.

[bolt.]

Am I understanding that the purpose of this "tool" to the website owners (hospitals) is to check/track the effectiveness of their own advertising and/or to help define things (groups, behaviour patterns) to make their own future adverting more effective?

So Meta is facilitating this advertising service and the data helps their service be more effective and personalized for the client.

Does Meta keep the data? For how long? How securely? How is the data disposed of?

Does Meta use the data in their wider advertising schemes? For other clients? For themselves?

Does Meta sell the data? To whom?

Can the data be subpoenaed? Can it be hacked?

I think the main solution for this is to ask: Why do hospitals need to advertise anyways? Why not just have universal public healthcare? But that's not going to happen for Americans any time soon. I hope you get some regulation on the collecting, keeping, and sharing of your data anyways. It's alarming to see healthcare institutions acting like profit-centered corporations.

[Arcadia]

2 hours ago, kbutton said:

Can I just say though that the interface of which cookies to accept or not is not always straightforward? Pet peeve of mine.

I think cookie’s won’t even come into play here. Besides you (general) aren’t allowed to disable strictly necessary/functional cookies.

It is in the Meta Pixel script. From the same link as my previous post 

“And in several cases we found—using both dummy accounts created by our reporters and data from Mozilla Rally volunteers—that the Meta Pixel made it even easier to identify patients. 

When The Markup clicked the “Finish Booking” button on a Scripps Memorial Hospital doctor’s page, the pixel sent Facebook not just the name of the doctor and her field of medicine but also the first name, last name, email address, phone number, zip code, and city of residence we entered into the booking form. 

The Meta Pixel “hashed” those personal details—obscuring them through a form of cryptography—before sending them to Facebook. But that hashing doesn’t prevent Facebook from using the data. In fact, Meta explicitly uses the hashed information to link pixel data to Facebook profiles. 

Using a free online tool, The Markup was also able to reverse most of our hashed test information that the pixel on Scripps Memorial Hospital’s website sent to Facebook. 

Scripps Memorial didn’t respond to The Markup’s questions but it did remove the Meta Pixel from the final webpages in the appointment booking process after we shared our findings with the hospital.

On other hospitals’ websites, we documented the Meta Pixel collecting similarly intimate information about real patients.

When one real patient who participated in the Pixel Hunt study logged in to the MyChart portal for Piedmont Healthcare, a Georgia health system, the Meta Pixel installed in the portal told Facebook the patient’s name, the name of their doctor, and the time of their upcoming appointment, according to data collected by the participant’s Mozilla Rally browser extension.”

[Pam in CT]

re what's the point of having data if you aren't monetizing it?

1 hour ago, Arcadia said:

If you remember the Facebook–Cambridge Analytica data scandal, this data is probably already sold/shared and not just kept in house.

Indeed.  As per the OP... HIPAA doesn't prevent such sales.

 

People check off (zillion-page-scrolls, tiny-print legalese) terms all the time without reading them. When you're waited on the phone for 20 minutes listening to static hold music, making that appointment online through the portal starts to sound pretty good.  Virtually all of us regularly "assent" to the sale of our personal data to anyone the ["free" app provider, the online article, the 10% coupon provider etc etc) chooses to sell it

People who are excellent medical providers, and medical facility managers, aren't necessarily astute at IT. It's not the same skill set.  It's easy to imagine hospital administrators, also, assenting to the Ts and Cs of a bit of software that looks useful to, or is integrated in, a portal without really understanding the tiny-print legalese.

Facebook/Meta (and WhatsApp and Insta as well as Wayz and and and and) are for-profit companies.  If an app is "free," then we aren't the customer; we are the product. Their business model is to sell our personal and behavioral data.  That is, literally, their business. 

 

The only *solution* -- and it isn't perfect, it'll always be something of an arms race / whack-a-mole -- is EU style privacy laws.

 

 

[Jean in Newcastle]

I wonder how you find out if your doctor/clinic etc. does this?  I really doubt that if I call the receptionist at my very large clinic that she or he will even know what kind of cookies they have on their site.  

[Arcadia]

5 minutes ago, Jean in Newcastle said:

I wonder how you find out if your doctor/clinic etc. does this?  I really doubt that if I call the receptionist at my very large clinic that she or he will even know what kind of cookies they have on their site.  

Their entire computer system software might have been outsourced. So even their IT support staff may not know. We only used two hospitals and both happened to be in the list. One has the Meta Pixel and one doesn’t.

[livetoread]

I am hardly tech astute, but one day on a lark I read the privacy statement of the company my kids' university was using to ensure student vaccine status. This was before covid btw. I read every word and it was clear that by entering the vaccine info on this company's website as the school required my kids were agreeing to waive HIPAA and were agreeing to let the company sell any medical information they wanted. It gave lots of contradictory and obscure info - like one prominent place early on saying they follow HIPAA guidelines and another small aside at the very end saying that by using the website you are agreeing to waive HIPAA - but if you read carefully it was clear. My attorney husband who reads contracts for a living totally agreed.

I called the company who shrugged and would neither confirm nor deny. I called the school and worked my way through the person in charge of the immunization program all the way to legal affairs for the school and got no where. They all said at various times, "it doesn't really say that" (yes it did), "it's just immunization info" (not the point, they are agreeing for any medical info the company can manage to get ahold of) and "if it makes you feel better you can just give us the info directly (but what about all the other students?) "you can opt out by saying you have a religious objection to vaccination" (but I don't and I'm not going to lie.) It turned into a part time hobby for a couple of weeks pursuing it. I even alerted the student newspaper thinking that would be a great story for a hungry journalism student and got crickets. It's like no one could actually believe the company could/would sell that info and I'm sure the school legal affairs department didn't care because it's not the school's data that was being compromised, it was student data.

I finally gave up and just ignored it every time they sent reminders and threats about dropping my kids from enrollment etc if I didn't give them the info. They never followed through. Once covid hit, I don't know what the school used to verify vaccination then, but I'm pretty sure it wasn't them. It's depressing and feels like you are trying to empty the ocean with a teaspoon standing up to things like this. It's simply impossible to protect your info.

Edited June 17, 2022 by livetoread

[Arcadia]

@livetoread I agree with you on the vaccination proof part. It is frustrating. I heard some residential summer camps also ask students to upload their vaccination proof online.

[livetoread]

5 minutes ago, Arcadia said:

@livetoread I agree with you on the vaccination proof part. It is frustrating. I heard some residential summer camps also ask students to upload their vaccination proof online.

What's so frustrating is those requiring it just can't seem to get their minds around the idea that the info will be sold. There is this huge denial about what these companies are doing. Those requiring it point to the parts that sound good in the privacy policy and just ignore or are unaware of the parts that utterly negate the good sounding parts. When I first called the school, the person in charge of the program was horrified when I told her. She then just got bullheaded and refused to accept that the policy said what it said. 

[Tree Frog]

1 hour ago, livetoread said:

I even alerted the student newspaper thinking that would be a great story for a hungry journalism student and got crickets.

My kids don't see it as a big deal. I think they're so used to their info being shared in so many ways that they it's normal. The problem is that now, with the advent of certain medical procedures becoming illegal, that info can be tracked directly back to students and cause them legal problems. 

[Clarita]

10 hours ago, Arcadia said:

I would call to book appointments or just book the next routine appointment while there.

Would that even protect it? Even when I book appointments in person or by phone it still shows up in the portal/dashboard/app. This is such a bummer because booking appointments online is so convenient I can just look at the 20 open slots and decide which one I want instead of doing appointment tag with the person on the phone. 

[Arcadia]

5 minutes ago, Clarita said:

Would that even protect it? Even when I book appointments in person or by phone it still shows up in the portal/dashboard/app. This is such a bummer because booking appointments online is so convenient I can just look at the 20 open slots and decide which one I want instead of doing appointment tag with the person on the phone. 

If MetaPixel is sending data based on interactions, then using the smartphone app instead of the website would reduce the risk. 
I am sure Facebook would love to have all the data in the healthcare patient system’s database but the article is talking about Facebook getting the data when someone interacts with the patient portal on a browser. So if I login to my portal on my browser and check billing and nothing else, probably my billing information might get transmitted but my appointments info won’t. However, I won’t put it pass Facebook to grab whatever data they could.