HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups

A complaint has been filed with the FTC over misleading practices by Facebook. The complaint alleges health information disclosed in closed, supposedly anonymous and private Facebook groups has been exposed.

Congress is calling for Facebook to provide answers about the alleged privacy violations involving the Facebook PHR (Groups) platform. Leaders from the House Committee on Energy & Commerce have written to Facebook CEO Mark Zuckerberg requesting an urgent response to the privacy complaint filed with the FTC by users of Facebook Groups.

The complaint was sent to the FTC in December and was made public this week. In the complaint letter, security researcher Fred Trotter and members of a Facebook health group allege that personal health information disclosed by users of closed Facebook groups has been exposed. As a result, members of the groups are at risk of harassment and discrimination.

Closed Facebook groups are used by sufferers of health and mental health conditions to get support. Many support groups have been sent up on the platform specifically for that purpose. Members of the groups are offered a safe environment to chat about their issues. Highly sensitive information is often disclosed in the groups as they are believed to be private and anonymous. The complaint alleges Facebook is actively encouraging the use of closed groups as a good way for patients to communicate their health information and receive support for medical conditions.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Users of the groups have shared information about positive HIV diagnoses, sexual histories, details of past sexual abuse, substance abuse disorders, and a wide range of health and mental health conditions.

The groups are supposed to be private and anonymous and are often advertised as such. One example is the Affected by Addiction Community Facebook Group, which states that “This is a private group, so nothing you post will be seen by anyone outside of this group.” Several other examples are detailed in the complaint and some of the groups have been actively promoted by Facebook, even though privacy is not assured. Facebook states in its data policy that information shared on its platform can be shared with others on and off its products. Claiming the groups are private and anonymous is a misrepresentation.

Information disclosed in these groups, including personal health information, is shared with advertisers. There have been many cases of individuals being displayed adverts about possible treatments for medical conditions that have only ever been discussed in closed, private groups.

Facebook is not bound by HIPAA Rules, so the sharing of any personal health information with advertisers would not be a HIPAA violation. However, Facebook is required to comply with FTC Rules: Rules that Facebook is alleged to have violated.

In addition to sharing data with advertisers, the security of Facebook Groups has been called into question. One member of a closed health group claims she was able to obtain a list of all members of the group using a Chrome web browser extension called grouply.io. She contacted Trotter who used the extension to download the names of 10,000+ members of a closed and supposedly private Facebook group. In addition to real names of members, Trotter was also able to download email addresses, the cities where the members are located, and employers of the women who participated in the group. In this case, the members had been diagnosed as having the BRCA cancer mutation.

In the complaint, Trotter explained that since Facebook is encouraging the use of private groups for disclosing health information the groups should be treated as a personal health record and regulated as such by the FTC.  Part of the requirements for personal health records is the reporting of data breaches. Even though Facebook was notified about the file download and data breach, notifications were not sent to members of the Group.

“Sharing of privately posted personal health information violates the law, but this serious problem with Facebook’s privacy implementation also presents an ongoing risk of death or serious injury to Facebook users,” wrote Trotter in the complaint. “Facebook has ignored our requests to fix the specific issues we have identified to the company and denies publicly that any problem exists. All of this represents unfair, deceptive and misleading interactions between Facebook and its users in violation of the FTC Act.”

Leaders of the Energy and Commerce Committee said in their letter to Zuckerberg, “Facebook’s systems lack transparency as to how they are able to gather personal information and synthesize that information into suggestions of relevant medical condition support groups.  Labeling these groups as closed or anonymous potentially misled Facebook users into joining these groups and revealing more personal information than they otherwise would have.”

The committee leaders have requested a briefing from Facebook by March 1, 2019.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.