About a third of the top hospitals in the U.S. are allegedly sending private data to Facebook, an investigation by The Markup found. The report was co-published with STAT, a publication about health, medicine, and the life sciences.
How it works
According to The Markup, many hospital websites — 33 out of Newsweek’s top 100 hospitals in America — installed a tracking tool from Facebook called Meta Pixel, a Facebook-owned tool that allows website owners to track visitor activity on their site. In this case, when a potential patient clicks a button to schedule a doctor’s appointment on a hospital website, Meta Pixel sends data to Facebook connected to that person’s IP address, The Markup reported. That creates a receipt of the appointment request and other info and sends it directly to Facebook, giving the social media platform information like a person’s doctor, and conditions they might be seeking help for, like “pregnancy termination” or “Alzheimer’s.”
The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook. — The Markup.
Meta Pixel was also installed inside some of health systems’ password-protected patient portals, which then sends Facebook “the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments,” according to the Markup.
Why would a hospital want to use a tracking tool in the first place
Facebook, and its parent company Meta, gives website owners feedback about ads on Meta sites and other tools to target people who have visited their website, in exchange for the sites installing the Meta Pixel, The Markup reported. The Meta Pixel isn’t just being used for hospitals — according to The Markup’s analysis, it’s present on more than 30 percent of the most popular websites.
Facebook’s own site describing the tool says everything that’s tracked by the Meta Pixel appears in Facebook’s Ads Manager. This allows site managers and ad managers to figure out how effective their ads are, define custom audiences for ad targeting, and more.
Only some of the hospitals using this tool responded to The Markup’s request for comment, and many of them said they were comfortable using Meta Pixels. But seven hospitals removed the tool from their “appointment booking pages,” and five of the seven hospitals that had Meta Pixels installed in their password-protect patient portals removed them, too, after The Markup reached out to them.
Who was impacted?
The Markup found that 33 out of 100 hospitals studied used the data-sharing tool, but there are more than 6,000 hospitals in the U.S. — so data sharing could be far more widespread. Limited to the 100 hospitals The Markup studied, details from more than “26 million patient admissions and outpatient visits” in 2020 were sent to Facebook.
Why this is troublesome?
The data that was collected from hospital websites and then shared with Facebook could be a violation of HIPAA, which makes it illegal for hospitals to share personal health information unless the individual consents.
Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent. — The Markup
It’s not entirely clear what Facebook did with this data, because the company refused to answer The Markup’s questions. But Facebook has, in the past, used data from third parties to target advertisements, but the company says it put a halt to this in 2018. The Markup “was unable to determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways,” according to the report.
Facebook has plenty of other ways to infer intimate details about people’s health — like what they “like” and what groups they join — but this is way more direct. Experts told The Markup that it’s worrisome that patients’ trust in digital health care systems could be damaged.
If you haven’t already considered it, now might be the time to delete your Meta-owned accounts.