Study Shows 33% of Top 100 U.S. Hospitals are Sharing Patient Information with Facebook

A study of hospitals’ websites has shown that 33% of the top 100 hospitals in America are sharing patient information with Facebook through a tracker known as Meta Pixel, without seemingly getting patient consent.

Meta Pixel is a JavaScript code snippet that is employed to trace the activity of a visitor on a website. According to Meta, tracked activity shows up in the Ads Manager and is used to gauge the performance of ads, determine custom viewers for ad targeting, for active ads campaigns, and to evaluate the performance of your site’s conversion funnels.

Meta Pixel can gather various information, such as details concerning the buttons clicked as well as the pages visited with the click of those buttons, and the information obtained is associated with the person through their IP address, which determines the device used by the visitor. That data is then instantly provided to Facebook. On the website of a hospital, the tracker can acquire a user’s IP address and associate it with sensitive information, for example when that person had clicked to book a consultation.

The Markup conducted the study and co-published the report with STAT. The Markup discovered that Meta Pixel tracking is used in one-third of the appointment scheduling pages of the hospital. For example, the researchers found that when visitors to the University Hospitals Cleveland Medical Center click on the ‘Schedule Online’ button on a physician’s page, Meta Pixel routed the text of the button to Meta, together with the physician’s name and the search phrase, which for that individual was pregnancy termination. It was the same story with a number of other websites, which provided details obtained from the choice made from dropdown menus that furnished data concerning the patient’s condition, for example, Alzheimer’s disease.

A lot more worrisome is that for 7 hospital networks, Meta Pixel was set up within password-protected patient websites. The researchers discovered that five of the hospitals were transmitting information to Meta regarding real patients who agreed to take part in the Pixel Hunt project, which The Markup and Mozilla Rally manage. Involvement in that project required sending the data to The Markup regarding the websites they visited, which exposed the information being sent to Meta such as patients’ prescription drugs, descriptions of their allergic responses, and details about their forthcoming physician’s consultations.

The Markup stated there seemed to be no business associate agreements signed by the hospitals and Meta, which is required to permit the data sharing as per the HIPAA Rules. Also, it seemed that permission from patients allowing the transmitting of information to Meta was not acquired, meaning probable HIPAA violations.

The 7 hospital systems affected were Edward-Elmhurst Health, Community Health Network, FastMed, Piedmont, Renown Health, Novant Health, and WakeMed. All except Renown Health and FastMed had taken away the Meta Pixel after knowing about the data transfer by The Markup when the report was published, together with 6 hospitals from the 33 that were found to have the Meta Pixel on their appointment reservation pages.

The Markup stated in its report that the 33 hospitals that got Meta Pixel installed on their appointment webpages have jointly reported over 26 million patient admissions and outpatient appointments in 2020, and this research just looked at the top 100 hospitals. More may likewise be sharing information with Facebook via Meta Pixel.

The Markup mentioned it could not figure out how Meta/Facebook utilized the information transmitted using Meta Pixel, including for giving targeted advertisements. Meta representative, Dale Hogan, released a statement based on the results of the study. When Meta’s indicators filter systems identify that a company is transmitting potentially sensitive health information from their application or website by using Meta Business Tools, which in some instances can occur by mistake, that potentially sensitive information will be taken out before it could be saved in their adverts systems.