Meta faces mounting questions from Congress over health data privacy
Meta is facing growing questions over its access to sensitive medical data following a tagging investigation that found the company’s pixel tracking tool was collecting details about doctor’s appointments, prescriptions and patient health conditions on hospital websites.
During a Senate Homeland Security and Governmental Affairs Committee hearing on Sept. 14, Sen. Jon Ossoff (D-Ga.) asked Meta — the parent company of Facebook and Instagram — to provide a “full” account. and accurate” of the medical information it maintains about users.
“There have been significant public reports, controversies and concerns regarding the Meta Pixel product and the possibility that its deployment on the websites of various hospital systems, for example, has allowed Meta to collect private data about health care,” Ossoff said.
“We need to understand, as the US Congress, whether Meta collects, has collected, has access to, or stores medical or health data for American individuals,” he added.
In response to Ossoff’s question as to whether Meta has any medical or healthcare data on its users, Chris Cox, Meta’s chief product officer, replied, “Not to my knowledge.” Cox also promised to give the committee a written response.
In June, The Markup reported that Meta Pixels on the websites of 33 of Newsweek’s Top 100 U.S. hospitals passed patients’ doctor’s appointment details to Meta when patients booked on the websites. We also found Meta Pixels in the password-protected patient portals of seven health systems collecting data on patients’ prescriptions, sexual orientation and health conditions.
Former regulators told The Markup that hospitals’ use of the pixel may have violated Health Information Portability and Accountability Act (HIPAA) prohibitions against sharing protected health information.
“Advertisers should not send sensitive information about individuals through our business tools,” Meta spokesperson Dale Hogan wrote to The Markup in an emailed statement. “This is against our policies and we teach advertisers how to properly configure business tools to prevent this from happening. Our system is designed to filter out potentially sensitive data that it is able to detect.
From The Markup survey:
- Since September 15, 28 of 33 hospitals have removed the Meta Pixel from their doctor booking pages or blocked it from sending patient information to Facebook. At least six of the seven health systems had also removed the pixels from their patient portals. Markup reached out to institutions that removed the pixel from their websites after our investigation published in June. As of press time, three institutions — Sanford Health, El Camino Health and Henry Ford Health — had responded. Read their statements here.
- A healthcare system, Novant Health, based in North Carolina, sent data breach notifications to 3 million customers following The Markup’s report. In the breach notification, Novant Health said the pixel was added as part of a promotional campaign to encourage use of Novant’s MyChart patient portal, but “the pixel was configured incorrectly and may have allowed transmission of certain private information to Meta”. On September 16, Novant amended its data breach notification message to indicate that Meta informed the provider that it “generally” screens patients’ sensitive medical information and has “no information to return.” or destroy”.
- The North Carolina attorney general’s office said it was “actively investigating” hospital data sharing after calls from state lawmakers for an investigation.
- At least five class action lawsuits have been filed against Meta, claiming that the pixel’s data collection on hospital websites violates various state and federal laws. One, filed against the company on behalf of a Baltimore-based MedStar health system patient, claims that Meta Pixels collected patient information from at least 664 different hospital websites. The other lawsuits were filed on behalf of patients at Novant Health and hospitals in San Francisco, Los Angeles and Chicago.
Meanwhile, developments in another court case suggest Meta may struggle to provide the Senate committee with a full account of the sensitive health data it holds on users.
In March, two Meta employees testifying in a case involving the Cambridge Analytica scandal told the U.S. District Court for the Northern District of California that it would be very difficult for the company to track down all of the data associated with a single account. ‘user.
“It would take multiple teams on the advertising side to pinpoint exactly where the data is flowing,” said a Facebook engineer, according to the transcript, which was first reported by The Intercept. “I would be surprised if there was even one person who could conclusively answer this narrow question.”
The engineers’ comments echo the same concerns expressed in a 2021 privacy notice written by Facebook engineers that was leaked to Vice.
“We do not have an adequate level of control and explainability over how our systems use data, and therefore cannot confidently make controlled policy changes or external commitments such as ‘we don’t will not use X data for Y purposes,” the memo reads. authors wrote.
This article was co-published with The Markup, a nonprofit newsroom that studies how powerful institutions are using technology to change our society. Sign up for his newsletters here.