Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook

An analysis of hospitals’ websites has revealed one-third of the top 100 hospitals in the United States are sending patient data to Facebook via a tracker called Meta Pixel, without apparently obtaining consent from patients.

Meta Pixel is a snippet of JavaScript code that is used to track visitor activity on a website. According to Meta, “It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze [the] effectiveness of your website’s conversion funnels.”

Meta Pixel can collect a variety of data, including information about the buttons clicked and the pages visited by clicking those buttons, and the data collected is linked to the individual by their IP address, which identifies the device that the visitor is using. That information is then automatically sent to Facebook. On a hospital website, the tracker could collect a user’s IP address and link it to sensitive information, such as if that individual had clicked to make an appointment.

The analysis was conducted by The Markup and the report was co-published by STAT. The Markup found that Meta Pixel tracking was present on a third of hospitals’ appointment scheduling pages. In one example – University Hospitals Cleveland Medical Center – the researchers found that when a visitor clicks on the ‘Schedule Online’ button on a doctor’s page, Meta Pixel sent the text of the button to Meta, along with the doctor’s name and the search term, which for that patient was pregnancy termination. It was a similar story with several other websites, which sent information taken from the selection made from dropdown menus, which provided information about the patient’s condition – Alzheimer’s disease for example.

Even more concerning is that for 7 hospital systems, Meta Pixel was installed inside password-protected patient portals. The researchers found that five of those hospital systems were sending data to Meta about real patients who volunteered to participate in the Pixel Hunt project, which was jointly run by the Markup and Mozilla Rally. Participation in that project involved allowing data to be sent to The Markup about the sites they visited, which revealed the data being sent to Meta included patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

The Markup said there did not appear to be any business associate agreements between the hospitals and Meta that would allow the data sharing under the HIPAA Rules, and express consent from patients authorizing the sharing of data with Meta did not appear to have been obtained, suggesting potential HIPAA violations.

The 7 health systems were Community Health Network, Edward-Elmhurst Health, FastMed, Novant Health, Piedmont, Renown Health, and WakeMed. All but FastMed and Renown Health had removed the Meta Pixel after being informed about the data transfer by The Markup at the time of publication of the report, along with 6 hospitals out of the 33 that were identified as having the Meta Pixel on their appointment booking pages.

The Markup said in its report that the 33 hospitals that had Meta Pixel on their appointment pages have collectively reported more than 26 million patient admissions and outpatient visits in 2020, and this study was only limited to the top 100 hospitals. Many others may also be passing data to Facebook through Meta Pixel.

The Markup said it was unable to determine how Meta/Facebook used the data transferred through Meta Pixel, such as for providing targeted adverts. Meta spokesperson, Dale Hogan, issued a statement in response to the findings of the study. “If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.