Facebook’s Metal Pixel data has been gathering sensitive medical information from hospitals when patients schedule appointments through the social media website. The information packets included doctors’ names, reasons for visits and demographic information.
The Markup, a nonprofit newsroom that investigates how powerful institutions are using technology to change society, reported that 33 of the 100 top hospitals featured in Newsweek were sending medical information back to Facebook.
The Markup reported that “the data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.”
Of the 33 hospitals using the Meta Pixel data, only 7 removed it when The Markup contacted them to alert them of the issue.
Novant Health said, “We appreciate you reaching out to us and sharing this information. Our Metal Pixel placement is guided by a third-party vendor and it has been removed while we continue to look into this matter.”
Other hospitals weren’t as accommodating. Northwestern Memorial Hospital said, “The use of this type of code was vetted and is referenced in NM.org’s Terms and Conditions.”
The Markup also found that Metal Pixel was installed inside patient portals in seven health care systems. Patient portals are password protected and have information such as medications, recent visits, discharge summaries, immunizations, allergies, etc.
To investigate further, The Markup teamed up with Mozilla Rally to create the Pixel Project, which tracks data from real patients who participate in the program. Anyone can participate in the problem by downloading Mozilla’s Rally browser add-on.
David Holtzman, a former senior privacy advisor of the U.S. Department of Health and Human Services’ Office for Civil Rights, said, “I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it. I cannot say [sharing this data] is for certain a HIPPA [Health Insurance Portability and Accountability Act] violation. It is quite likely a HIPPA violation.
Facebook says that potentially sensitive data is removed before information is placed in their ads system, but sometimes it is entered by mistake.
Medical information that’s given to social media companies is still shocking and could lead to a breach that exposes users’ sensitive information.