HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New York State Departments Investigate Facebook Over Health Data Sharing Practices

A recent analysis of Facebook’s data collection practices has revealed sensitive health data is obtained by Facebook from third party apps, even if the user has not logged in via Facebook or does not even have a Facebook account.

Private information including blood pressure measurements, heart rate data, menstrual cycle data, and other health metrics are provided to Facebook, often without the user’s knowledge or any specific disclosure that data provided by users or collected directly by the apps are shared with the ocial media platform.

The investigation was conducted by the Wall Street Journal, which conducted tests on various health-related apps. While it was known that some of those apps send data to Facebook about when they are used, the extent of data sharing was not well understood. The report revealed that 11 popular smartphone apps have been passing sensitive data to Facebook without apparently obtaining consent from users.

One app, Flo Period & Ovulation Tracker, shares dates of a user’s last period with Facebook and the predicted date when the user is ovulating. The Instant Heart Rate: HR Monitor App in the Apple iOS store was found to send users’ heart rate information to Facebook as soon as it is recorded. None of the apps that were found to be sharing sensitive data appeared to offer users a way of opting out of having their data sent to Facebook.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The WSJ report notes that while the data sent by these apps may be anonymous, Facebook could match the information with a particular Facebook user and use the data to serve them targeted ads.

The WSJ contacted Facebook for comment and received a reply confirming that some of the apps cited in its report appeared to be violating its business terms and that the platform does not permit app developers to send “health, financial information or other categories of sensitive information,” and that it is the responsibility of the app developers to be clear to their users about the information that is being shared. A Facebook spokesperson told Reuters, “We also take steps to detect and remove data that should not be shared with us.”

New York Governor Instructs State Departments to Investigate Facebook

On Friday, February 22, 2019, New York State Governor Andrew M. Cuomo issued a press release stating that he has instructed the Department of State and the Department of Financial Services to investigate how Facebook is acquiring health data and other sensitive information from developers of smartphone apps and the alleged privacy violations and breaches of Facebook’s own business terms.

Cuomo said that if the findings of the WSJ are correct, it amounts to “an outrageous abuse of privacy.”

Cuomo is determined to hold companies responsible for upholding the law and ensuring the sensitive data of smartphone users is kept private and confidential. Personal data should not be shared with other companies without users’ express consent.

Cuomo is also calling for federal regulators to investigate and put an end to the practice to protect consumers’ rights.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.