When healthcare providers use Facebook, the risks can be enormous. Three class action lawsuits based on the use of a tracking feature used by Facebook have already been filed, and more are likely to come. Millions of patients are being notified that their protected health information (PHI) has been breached due to the tracker, and this list will undoubtedly grow.
Meta Pixel Code Tracks Patients
Meta, Facebook’s parent company, has a piece of software code that its customers can install on their own websites providing detailed information about website visitors, including patients. Called the Meta Pixel, the tracker collects data on users’ IP addresses and webpage activity. Hospital websites and patient portals that use this feature risk unlawful disclosures of protected health information (PHI).
Why does Meta track and collect personal information? Because personal data is valuable and drives profits. Social media sites are free, but the terms of service (that no one reads) spell out that services are provided for free, but in exchange the company needs certain permissions from you, the user – to collect and use your information.
Nearly a third of the country’s top hospitals have used the Facebook tracker according to a report from nonprofit investigative newsroom The Markup, published in June, 2022. The investigators reviewed the appointment scheduling webpages of 100 leading hospitals and found the Meta Pixel on 33 of them. Together these hospitals had over 26 million patient admissions and outpatient visits in 2020, according to American Hospital Association survey data cited by the report.
As noted in the report “Facebook itself is not subject to HIPAA, but the experts interviewed for this story expressed concerns about how the advertising giant might use the personal health data it’s collecting for its own profit.” Moreover, Meta isn’t the only one facing complaints and lawsuits. The list of providers defending the website tracker is growing.
Northwestern Memorial Hospital, UCSF Medical Center and Dignity Health are at least three providers currently named as defendants in breach of privacy lawsuits related to the Meta Pixel code.
Facebook has a Security Problem
The Meta Pixel disaster might have been predicted, given Facebook’s track record. A 2019 Wall Street Journal article about Facebook triggered the company to create a “sensitive health information filtering system” according to The Markup. The New York Department of Financial Services responded to the WSJ article by investigating Facebook’s data privacy practices. Meta told the investigators that the filtering system was “not yet operating with complete accuracy,” according to the department’s February 2021 final report. And in response to the recent investigation by The Markup, Meta’s spokesperson wrote a brief email paraphrasing the company’s sensitive health data policy, stating,
“If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems” (italics added for emphasis)
Meta Pixel Code Alleged to Have Caused Breach of Over 1.3 Million
While the Meta Pixel code is in use by dozens of healthcare providers, the first report of a breach caused by the code came from Novant Health (Novant). Novant recently notified 1,362,296 patients that some of their PHI has been sent to Meta.
Novant explained in the breach notification letters that PHI was transferred to Meta due to “an incorrect configuration of [Meta] Pixel, an online tracking tool.” Novant Health said it wanted to be fully transparent over the data breach and the reasons for using the pixel code on its website.
“In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goals of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care. This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook; however, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”
Novant’s investigation found that the patient data exposed may have included email address, phone number, computer IP address, and contact information entered into Emergency Contacts or Advanced Care Planning; and information such as appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes.
Social Media is a Risk to Patient Privacy
A tech giant like Facebook which is so convenient and provides reams of data to business customers is tempting to use. But in healthcare the risks of engaging with social media outweigh the benefits to the provider.
Patient privacy is the foundation of quality healthcare. When that trust is broken the monetary and social costs of getting it back is enormous.