HIPAA FAIL: ~33% of Hospital Websites Send PII to Facebook
A study shows many U.S. hospitals are leaking personal information to Facebook. Patients’ data is silently scarfed up by the Meta Pixel tracking widget.
Experts say the data leak is illegal: HIPAA violations attract a civil fine of up to $1.5 million per entity, if “due to willful neglect.”
Or will they merely get a slap on the wrist? In today’s SB Blogwatch, we fear for our privacy.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Time to go.
#DeleteFacebook
What’s the craic? Todd Feathers, Simon Fondrie-Teitler, Angie Waller and Surya Mattu report—“Facebook Is Receiving Sensitive Medical Information from Hospital Websites”:
“HIPAA”
A tracking tool … has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook. … On 33 [percent] of them we found … the Meta Pixel sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address … creating an intimate receipt of the appointment request for Facebook.
…
On the website of University Hospitals Cleveland Medical Center, for example, clicking the “Schedule Online” button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: “pregnancy termination.” … On a Scripps Memorial Hospital doctor’s page, the pixel sent Facebook not just the name of the doctor and her field of medicine but also the first name, last name, email address, phone number, zip code, and city of residence.
…
Former regulators, health data security experts, and privacy advocates … said the hospitals in question may have violated … HIPAA. The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented. … Experts interviewed for this story expressed concerns about how the advertising giant might use the personal health data it’s collecting for its own profit.
O RLY? Nicole Wetsman—“Hospital websites are sending medical information to Facebook”:
“Facebook has filters that … don’t always work”
Installing the Meta Pixel gives groups access to analytics about Facebook and Instagram ads but also tracks how people are using their websites: the buttons they click, the information they put in forms, and so on. … On one hospital website, clicking the scheduling button sent Facebook a doctor’s name and the condition — “Alzheimer’s” — that the appointment was scheduled for.
…
Under HIPAA, hospitals … can use and share anonymized data (and often do). But information linked to an IP address can classify data as identifiable health information, which has additional protections.
…
A Meta spokesperson[said] Facebook has filters that detect and remove sensitive health data sent from businesses. … But the filters don’t always work as described.
And Christianna Silva adds—“Some hospitals are giving private data to Facebook”:
“Patients' trust in digital health care systems could be damaged”
Facebook’s own site describing the tool says everything that’s tracked by the Meta Pixel appears in Facebook’s Ads Manager. This allows site managers and ad managers to figure out how effective their ads are, define custom audiences for ad targeting, and more.
…
It’s not entirely clear what Facebook did with this data, because the company refused to answer. … Facebook has, in the past, used data from third parties to target advertisements, but the company says it put a halt to this in 2018.
…
Facebook has plenty of other ways to infer intimate details about people’s health — like what they “like” and what groups they join — but this is way more direct. Experts [say] it’s worrisome that patients’ trust in digital health care systems could be damaged. If you haven’t already considered it, now might be the time to delete your Meta-owned accounts.
I bet Facebook will find some way to wriggle out of it. Quoth The Raven: [You’re fired—Ed.]
You can’t sign away the rights granted by law. A hospital can’t invalidate HIPAA with a EULA. So this is quite possibly a wide enough violation to result in very expensive class action lawsuits.
Perhaps it was only a mistake by all those hospital websites? Arien Malec—@amalec—thinks not:
As I read the Meta Pixel documentation, field values & specific data is not enabled to be sent unless explicitly configured that way.
Are you worried yet? archatheist sounds slightly sarcastic:
You don’t need to worry. There is no way Facebook would sell data to, say, Oklahoma or Texas about your appointment in another state with an abortion provider. Just to give one very specific example of what would never, ever happen. Never.
The same thing is true for your kids’ data. No way they would store that information, blaming it on a system that was “not yet operating with complete accuracy,” and then sell that data. Accidentally. Everybody makes mistakes, but not Facebook!
Also inadvertently leaking appointment data that might be used by abusers to find their victims? Simply impossible. Computers are super-duper secure, dummy.
It feels like a “tip of the iceberg” moment to @JonKeegan:
Feels like society will be cleaning up this ubiquitous surveillance tech for years. One line of code added to a website years ago, siphoning off sensitive health data straight to Meta.
Meanwhile, #DeleteFacebook? ayesnymous has to laugh:
And people think they can avoid Facebook by deleting their account or not registering in the first place. <laughs>
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.