Facebook has been caught, again, red-handed. A recent investigation of The Markup exposes that the company has been using internet trackers – the famous cookies – to redirect sensitive patient data to their own servers. Among this information, it is reported that they have collected prescriptions, medical appointments and even ailments.
In the investigation, the aforementioned media took into account the 100 largest hospitals in the United States. The result was surprising, since a third of them were being tracked by the company. Specifically, the tracker was found in 33, under the name of Meta Pixel.
What does Facebook do exactly? Create a kind of “receipt” with the information provided by the person. Of course, this receipt is attached to the unique IP address of the computer or device from which the request is issued. In this way, Facebook was not only extracting the data of the appointment, but also the location data of the person requesting it.
Facebook tracker put to the test
Since The Markup discuss test results using the University Hospitals Cleveland Medical Center website. The report indicates that, when trying to see the availability schedule of a doctor on the platform, the Meta Pixel tracker was activated automatically. Thus, it not only sent the data entered in the appointment form, but also the name of the medical professional, along with the terms used to find it on the internet. For the example, they used the words “termination of pregnancy”.
This same procedure was carried out using the website of the Froedtert Hospital in Wisconsin. This time the tracker sent to Facebook the text of the form, the name of the medical professional and the disease reported. For this other example Alzheimer’s was used.
On five of those system pages, we documented Facebook sending data via pixels about real patients who volunteered to participate in the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally.
The data sent to the hospitals included the names of the patients’ medications, descriptions of their allergic reactions and details about their upcoming medical appointments.
The Markup
Meta Pixel also wants passwords
But the story does not end here. According to reports, the Facebook tracker was also found within the passwords supposedly protected from patients. Of the 100 hospitals under review, this vulnerability was found in 7 of them.
Nevertheless, Both the hospitals and Meta assured that they did not have any type of contract. standing. Also, The Markup did not find any indication that would suggest consent on the part of users to be tracked with the Meta Pixel, so everything indicates that it could be a violation of the Health Insurance Portability and Accountability Act (HIPAA for its acronym in English). ) from hospitals.
“I am deeply concerned about what hospitals are doing with the capture of the data and the sharing of it. I can’t say that sharing this data is for sure a HIPAA violation, but it is very likely a violation.”
David Holtzman, Health Privacy Consultant.
Many hospitals have not responded
Of course, after this discovery, The Markup decided to notify the hospitals in question about the existence of the Meta Pixel tracker. However, the most of them refrained from offering an answer.
However, by June 15, six hospitals had already removed the tracker from their websites. Another five of the seven health systems that had Facebook’s Meta Pixel installed also found a way to remove them from their platforms.
Since 2020, the 33 hospitals infected with the Meta Pixel have admitted an approximate figure of 26 million patients. The number, of course, is shocking, considering that a large part of this number will have inserted their data from the websites of each health center.
Likewise, The Markup emphasizes that his research was limited to 100 hospitalsbut it is quite likely that we will find the Facebook tracker in many more nationally -and even internationally-.