Facebook's Pixel tracking tool found in a third of the Top 100 US hospitals, scraping private health data of patients.

[Dirtyshado]

Summary

The Markup tested the Top 100 Hospital's in the United States websites and found 33 of them were using the Facebook tracking tool Pixel, an ad tracking tool may have violated Federal Law by scraping private health information of patients with reports patients who were diagnosed or booking appointments at those hospitals were later finding targeted advertisements being served to them.     The Markup found that Facebook was getting information on one patient’s doctor’s name and speciality, condition and appointment time and on another’s allergic reactions to specific medications.

 

Under Health Insurance Portability and Accountability Act (HIPPA), hospitals aren’t allowed to share identifiable health information with third parties without patients’ consent.

HIPAA lists IP addresses as one of the 18 indentifiers that, when linked to information about a person’s health conditions, care, or payment, can qualify the data as protected health information.

 

If a patient is logged in to Facebook when they visit a hospital’s website where Meta Pixel is installed, browsers will attach third-party cookies that allow it to link the scrapped health data to users Facebook accounts.

 

Quotes

Quote

Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA).

Quote

“Almost any patient would be shocked to find out that Facebook is being provided an easy way to associate their prescriptions with their name,” said Glenn Cohen, faculty director of Harvard Law School’s Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics. “Even if perhaps there’s something in the legal architecture that permits this to be lawful, it’s totally outside the expectations of what patients think the health privacy laws are doing for them.”

Quote

A Meta spokesperson told The Markup that Facebook has filters that detect and remove sensitive health data sent from businesses. It’s not clear if the data sent by hospital websites was or was not caught by those filters. But the filters don’t always work as described.

Quote

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ ” Facebook engineers on the ad and business product team wrote in a 2021 privacy overview.

Quote

“The evil genius of Facebook’s system is they create this little piece of code that does the snooping for them and then they just put it out into the universe and Facebook can try to claim plausible deniability,” said Alan Butler, executive director of the Electronic Privacy Information Center. “The fact that this is out there in the wild on the websites of hospitals is evidence of how broken the rules are.”

 

My thoughts

The use of patient information for targeted advertising is sickening to me, especially since people are vulnerable in the early stages of diagnosis and treatment... only to have Facebook force feed them drug company ads or worse scams.

When you also consider this information may include pregnancy, child, abortion or sexuality information, this is toxic... why the hell are hospitals allowing this software anywhere on their systems is beyond reason.

 

Sources

The Markup - Full Investigation - 16th June https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites

The Verge - Summary Article - https://www.theverge.com/2022/6/16/23170886/hospital-websites-meta-pixel-tracker-facebook-hipaa

Bloomberg - Class-Action Filed -  https://www.bloomberg.com/news/articles/2022-06-17/meta-sued-over-claims-patient-data-secretly-sent-to-facebook

[Fasauceome]

My girlfriend told me that she stopped using her period tracking app for a similar reason. Your period may stop for whatever reason, and baby product companies will somehow immediately know to mail you products and advertising material.

 

Medical industry is still, after all, an industry. Gotta make that paper!

[JKRsega]

They should ban Meta/Anusbook. It causes nothing but trouble.

[CTR640]

 

 

 

Do we really have to be surprised or shocked? It's Facebook/Meta ffs. It doesn't matter, they WILL keep doing it at any cost.

[IPD]

Zuckerberg himself, famously said years ago that you shouldn't have anything to hide.  I don't know why people have continued to trust his self-important ass.

[Quackers101]

ah yes data, nom nom. "nothing to hide"... "but all to give and be taken from you". Ad brokers, breaking into my house and stealing all the cookies over 10 years worth of data and tracking of your personal life.

[Fasauceome]

Just now, Caroline said:

Period... tracking app? I thought it was a joke but it's an actual thing. Just... WHY?! it doesn't makes any sense. 

It can help identify irregular periods, and predict hormonal changes sometimes. Obviously if you're bleeding you know your period started so that's not what it would help with, but otherwise you can see if you're maintaining a regular cycle or not more easily.

[Forbidden Wafer]

In the 90s, there was a game called KKnD. Facebook should be KKnD'ed.

[TVwazhere]

21 minutes ago, Caroline said:

Period... tracking app? I thought it was a joke but it's an actual thing. Just... WHY?! it doesn't makes any sense. 

19 minutes ago, Fasauceome said:

It can help identify irregular periods, and predict hormonal changes sometimes. Obviously if you're bleeding you know your period started so that's not what it would help with, but otherwise you can see if you're maintaining a regular cycle or not more easily.

My GF and her friends also used them for a while; It helps identify things especially when your cycle isn't a perfectly 28 days. 

[JKRsega]

17 minutes ago, Caroline said:

Period... tracking app? I thought it was a joke but it's an actual thing. Just... WHY?! it doesn't makes any sense. 

 

About the news: facebook spying on people?! unbelievable!! /s

What difference would it make? people who use smartphones are being tracked 24/7 by corporations, and they allow that -otherwise they wouldn't be using smartphones, duh- even if facebook didn't exist they'd still be tracked by others. Even if you quit fb and disable your account -I doubt they really delete anything- permanently you'd still be tracked by cookies and session data, even in this forum if you use it as is without blocking anything there's a share button that redirects you to fb and twitter.

Banning fb and google from your life requires a lot more than a simple "oh I'll just stop using it" most users think about. And due to how widespread their malicious tentacles have spread around the WWW doing so will often break websites, same goes if you block AWS cdn and cuckflare.

I can't load youtube on my computer so I have to manually redirect any video URL to an invidious instance, or twitter posts to nitter, and so on, sometimes it works others I end up with a 503 error but yeah that's how it is. Stallman was right.

I don't own a smartphone and I cannot abide the steaming pile of relationship killing shit that is Meta.  I use Brave which blocks trackers and so on.  But I'm a simple man who just goes on the same websites, day in, day out.  I don't care what's tracking me as I've zero to hide. Anyway, you go way over my head with your tech speak, no disrespect.  I'm off for a Kebab and a cider or 10.

[suicidalfranco]

who is really at fault here: facebook or the hospitals baking in facebook's tool on their own website

[leadeater]

Please let this actually be a HIPPA violation, that actually has teeth. The hospitals and Facebook need to be slapped for this, can't help think malice to some degree was involved as they both know better.

[dizmo]

Hilarious. I really hope something comes of this, but I have a feeling not enough people will be mad enough for that to be true.

 

4 hours ago, Fasauceome said:

My girlfriend told me that she stopped using her period tracking app for a similar reason. Your period may stop for whatever reason, and baby product companies will somehow immediately know to mail you products and advertising material.

 

Medical industry is still, after all, an industry. Gotta make that paper!

Haha, such an American statement It's not the case in most of the world. 

[tikker]

6 hours ago, Dirtyshado said:

It’s not clear if the data sent by hospital websites was or was not caught by those filters. But the filters don’t always work as described.

 Hmm hmm, I guess this is how data collection is classified nowadays? Filters that "don't always work as descibed"?

6 hours ago, Dirtyshado said:

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ ” Facebook engineers on the ad and business product team wrote in a 2021 privacy overview.

What kind of statement is this. They wrote the software didn't they? How can they not have control or explainability over their systems. Saying you won't be able to say if you will use certain data for particular purposes just screams "we don't care who gets what data". Not that I'm surpised at all, but imagine if the hospital would say they can't commit to making a statement whether you will have doctor-patient confidentiality. I hope this will lead to something.

[JKRsega]

2 minutes ago, Caroline said:

*concern* I'd circle days in a calendar and visit a doc if I feel something's off. But that's just me.

 

 

Oh, yeah it happens. I tend to focus on the bigger picture rather than micromanaging. I might be labeled as a radical voice when it comes to responsible use of technology, FOSS and hardware, it's a matter of ideals and principles. But I understand other POVs, I might not share them but I understand them.

But it's good you don't own a smartphone, great in fact.

When I did own them they used to end up stuck in a wall or in bits.  I like to think I'm responsible, but not in the same manner as you.  You know what your doing.

[williamcll]

13 hours ago, JKRsega said:

They should ban Meta/Anusbook. It causes nothing but trouble.

Going to be a political fallout if this happens though. Think of what's going on in Indonesia right now.

 

Not a problem for me however since I stopped using it ever since high school.

[JKRsega]

I've not used it since 2009-10.  Everyone is so used to being connected.  Imagine a week where the internet stopped functioning world wide.  The peace...

 

What's going on in Indonesia?

[Ryuikko]

9 hours ago, leadeater said:

Please let this actually be a HIPPA violation, that actually has teeth. The hospitals and Facebook need to be slapped for this, can't help think malice to some degree was involved

I think  it probably is. Iirc as long as someone without immediate knowledge of the patients records can accurately identify said person, it violates hippa. I mean, private is literally in the name

 

[leadeater]

39 minutes ago, Ryuikko said:

I think  it probably is. Iirc as long as someone without immediate knowledge of the patients records can accurately identify said person, it violates hippa. I mean, private is literally in the name

Problem is I have little faith that anything will actually be done. I'm sure it is but I also don't have billions of dollars and the lawyers/lobbyers that come with that, sighhhhhh

[LAwLz]

I can't help but feel like the hospitals are at least 95% responsible for this, and Meta maybe like 5%.

 

The hospitals decided to use a general library developed by Meta which has a well documented, optional, function that scrapes data from the website and sends it to Meta (where the developer can also see it, if I recall correctly).

Is it really Meta's fault that the tool they developed were used inappropriately? I doubt any human at Meta are sitting there, watching the information being gathered from the thousands upon thousands of sites that deploy the Meta Pixel, so some suspicious health data being send to them probably wasn't even noticed by a human (but their ad algorithm certainly noticed it).

 

If this violates a law then surely only the hospitals would be found guilty and punished, right? I don't see how Meta did anything wrong, except their usual data harvesting shenanigans. 

Quite a few people I've seen comment on this story are mad at Meta, but in my eyes they didn't do anything wrong here. It's not Meta's fault hospitals where sending them a bunch of sensitive information. The issue here is that the info was sent to begin with, and it was the hospitals that sent that info.

[suicidalfranco]

8 hours ago, Caroline said:

yeah no, i think in this specific case the Hospitals are the sole responsible. They made the website, they choose the tools to implement, and it's not like Facebook's add-on aren't well documented, they are extensively documented. It's on the hospitals to inform themselves before adding stuff to their website. 

[mr moose]

I'm still waiting for one of you smart bastards to write a program/virus that does nothing but creates shit random data and seeds it over all the cookies.  When you log onto facebook and it checks the cookies it thinks you have been to every website hosted in maylasia today and yesterday the US etc.   Once the data is no good for advertising then data harvesting will no longer be a thing.

[IPD]

43 minutes ago, mr moose said:

I'm still waiting for one of you smart bastards to write a program/virus that does nothing but creates shit random data and seeds it over all the cookies.  When you log onto facebook and it checks the cookies it thinks you have been to every website hosted in maylasia today and yesterday the US etc.   Once the data is no good for advertising then data harvesting will no longer be a thing.

Would be a much better investment of malware programming than the standard fare "we broke yo sheet" stuff.  I'd love to see this also used against the CCP and it's collection (tik-tok, bytedance, etc) to really throw off their algorithms.

[Mynameischef]

17 hours ago, dizmo said:

Hilarious. I really hope something comes of this, but I have a feeling not enough people will be mad enough for that to be true.

 

Haha, such an American statement It's not the case in most of the world. 

Haha, such a dumb statement XD almost like it was a joke....

[suicidalfranco]

6 hours ago, mr moose said:

I'm still waiting for one of you smart bastards to write a program/virus that does nothing but creates shit random data and seeds it over all the cookies.  When you log onto facebook and it checks the cookies it thinks you have been to every website hosted in maylasia today and yesterday the US etc.   Once the data is no good for advertising then data harvesting will no longer be a thing.

Just use adnauseam