A recent investigation conducted by The Markup has been released uncovering how Meta is using an analytics tool on approximately a third of the U.S.’s largest hospitals’ websites. The tool has been installed on several of the hospital’s websites to collect sensitive patient information including clinical visits, medical conditions, and prescriptions.
The Meta Pixel collects data whenever an individual clicks a button to schedule an appointment with their clinician on a hospital website. The data is connected to the individual’s IP address and generates a receipt of the appointment application for Facebook. The hospitals found to have the tool installed included Johns Hopkins Hospital, UCLA Reagan Medical Center, New York Presbyterian Hospital, Northwestern Memorial Hospital, and Duke University Hospital. Furthermore, The Markup also found the tool was embedded within password-protected patient portals of seven healthcare institutions.
Experts contend that the hospitals using the analytics tool may be in violation of the Health Insurance Portability and Accountability Act. Under the rules of HIPAA, hospitals are prohibited from disclosing the personal information of patients to third parties like Meta without a Business Associate Agreement and the consent of the individual subject to the information. None of the hospitals had an agreement in place prior to sharing the patient data.
The Markup was unable to determine whether the patient information collected by Meta was used for profit. Typically, Meta uses data to create targeted advertisements and recommendation algorithms to generate profits. Since the publication of the study, several hospitals have removed the Meta Pixel from their websites. Meta has denied any wrongdoing and has maintained that they have acted in accordance with the law. In a statement sent to The Markup, spokesperson Dale Hogan stated “If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems”.