There’s been a concerning trend with certain hospitals recording patients’ sensitive and private information. Hospitals have used a virtual tracking device to keep medical information and are sending that out to Facebook without the patient’s knowledge. The tracker, called the Meta Pixel, was found on about a third of all top hospital websites in America. When a person uses a website with Meta Pixel and schedules an appointment, that information is immediately sent to Facebook.
Meta Pixel utilizes your IP address to connect your personal information with the medical information plugged into the website. The tracker creates a virtual receipt that shows the time and date of the scheduled appointment as well as other connected personal data. After surveying many hospitals’ online sites, one particular showcased a combination of sensitive information that would be sent to Facebook. On the University Hospitals Cleveland Medical Center website, search terms, and the doctor’s name are all given to Facebook after making an appointment.
Froedtert Hospital in Wisconsin also disclosed private information to Facebook through patients scheduling appointments. When someone used the appointment scheduling function on the hospital’s website, Meta Pixel would document the doctor’s name, the button’s text, and the specific disease or category selected from the dropdown menu. Then, Meta Pixel would inconspicuously end out that data to Facebook. The information given to Facebook through these medical websites was unbeknownst to those patients. With no proper consent from people about disclosing their medical information, this data breach is highly concerning for those who want to remain private about their doctor’s appointments and conditions.
The Markup, the group that tested all these hospital websites, found that Meta Pixel was commonly located in the password-protected portals many hospitals use for patient information. Patients often use these external portals to add medical records and schedule appointments. The group found that Facebook was receiving information surrounding many personal topics such as names of patients’ medications, allergy conditions, and details about their upcoming appointments.
Many scientists, analysts, and medical professionals believe that Meta Pixel’s release of private information to Facebook could be an infraction of the law. The federal Health Insurance Portability and Accountability Act protects a patient’s identity, requiring doctors and hospitals never to disclose private and identifiable medical information. The law prohibits companies and professionals from giving away information to third parties, too, unless given explicit consent by the patient. All the hospitals surveyed and Meta stated that no recorded contracts allow disclosure to Facebook, which directly violates HIPAA.
Some hospitals are taking immediate action regarding using Meta Pixel on their websites. Froedtert Hospital removed Meta from their hospital website after the news broke about patient information being sent to Facebook. A spokesperson for the hospital stated that the instantaneous removal was due to an “abundance of caution,” ensuring that other patients wouldn’t be affected by a medical information breach. Over the last month, six other hospitals changed their websites in favor of patient privacy. Five of the seven health systems also followed suit, deleting Meta Pixel from all of their external portals.