A Website visitor tracking tool from Facebook was found to be sending sensitive health information from hospital sites to the social media giant. Nonprofit newsroom The Markup, which focuses on technology’s impact on society, tested the Websites of 100 top hospitals in the US. Its report last week notes that a third of them had the tracker sending sensitive data.
The sensitive information transmitted included doctors’ names and the search terms used to find them or conditions selected from a menu. Details about appointments, medications names, and allergic reactions were also sent to Facebook in some cases. The healthcare organizations in question may have violated HIPAA rules by sharing protected health information (PHI), according to security experts and privacy advocates.
Facebook and Advertising
While Facebook and its parent company Meta are not subject to HIPAA, advertisements could potentially be targeted based on the PHI received. Meta spokesperson Dale Hogan said in an E-mail that “potentially sensitive data will be removed before it can be stored in our ads systems” in the event that Meta’s systems detect the presence of such being sent. However, the accuracy of the filtering system remains uncertain, and Facebook engineers have previously indicated in a leaked privacy overview that “we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.'”
The Meta (or Facebook) Pixel is present on roughly a third of the Web’s most popular sites per The Markup. Freely available, the tracker sends IP addresses and can match information to a user’s Facebook and/or Instagram profile. Form responses and URLs clicked on may also be sent. The social media company uses this amassed data to target ads. Those who choose to embed Pixel on their sites, however, have a lot of control over what information is sent.
One hospital, Houston Methodist in Texas, responded to The Markup noting that it is “confident” in Facebook’s safeguards and doesn’t categorize the information that was sent from its site as PHI. Nevertheless, the hospital did remove Pixel from its site shortly thereafter. Whether the data being sent is not being carefully restricted or is not considered sensitive/protected by the hospitals, or the healthcare organizations are convinced that Facebook is filtering out such content, it seems some due diligence is required.
Cybersecurity isn’t just about protecting against attacks, but also protecting against data breaches and leaks. HIPAA violations can be costly to both finances and reputation. It’s always a good time to review your network and Websites, or to have a managed services provider review them for you.