33 hospitals send website users’ medical information to Meta:Report
- A Meta tracker on 33 hospital websites collected confidential visitor data, The Markup reported.
- The code tagged the data to visitors’ IP addresses, which could identify who they were.
- Sharing this information with Meta could be a violation of federal law, experts told The Markup.
In what experts say is a violation of federal law, some hospitals shared users’ personal medical information with Meta, according to a new report from The Markup.
Under the Health Insurance Portability and Accountability Act (HIPAA), hospitals are required to protect sensitive medical data and not share it with outside organizations. But 33 of the top 100 hospitals in the United States, including Johns Hopkins Hospital and New York-Presbyterian, had a tracker called Meta Pixel on their site, according to The Markup’s June 16 report.
Meta Pixel is a code that records visitor activity and sends the data to Meta. Meta analyzes data and lets website owners know how powerful their ads are on Facebook and Instagram. But Meta Pixel also captured data, including reasons for medical appointments and the names of patients’ doctors when people tried to book appointments on those hospitals’ sites, The Markup found. The outlet found “termination of pregnancy” and “Alzheimer’s” listed as reasons for consultation among the Meta Pixel data.
The outlet found that seven health systems shared details about patients’ allergies, medications, upcoming appointments and sexual orientation with Meta through Meta Pixel.
—The markup (@themarkup) June 16, 2022
Regulatory and data privacy experts told The Markup that the hospitals may have violated HIPAA. Indeed, Meta’s code also captured the visitor’s IP address, allowing external parties to link specific individuals to the data.
Seven hospitals and five health systems removed Meta Pixel from their sites after The Markup approached them. The Markup said it was unsure whether Meta would benefit from the data it received. A spokesperson for Meta did not respond to questions from the outlet, but pointed to the company’s policy, which states that its system can identify and remove confidential health data before it is stored in a database. Although Meta is not subject to HIPAA, the company said in 2018 that it would stop using third-party data to target users.
Some experts have taken to Twitter to voice their concerns about The Markup’s findings.
Last month, Politico reported that the Supreme Court could overturn Roe v. Wade, the landmark 1973 decision that guaranteed the right to abortion. David Valvesprofessor of health policy and administration at Penn State University, tweeted Thursday: “The potential uses of this information are terrifying – especially in a post-Roe world!”
A venture capitalist has urged tech companies to play their part in preventing privacy breaches. “As the data privacy debate continues, it appears Meta has crossed another line, this time into healthcare,” said Alyssa Jaffee, partner at healthcare venture fund 7wireVentures, tweeted Thursday.
Meta, Johns Hopkins Hospital and New York-Presbyterian did not immediately respond to Insider’s requests for comment.