Facebook has been collecting potentially sensitive health data through a tracker that, until recently, was included in the online scheduling tools of roughly a third of the country’s top hospitals, according to a new report from nonprofit investigative newsroom The Markup.
Called the Meta Pixel, the tracker is an analytics tool Facebook’s parent company offers website owners. In exchange for social media advertising information, the tracker sends the tech company data on users’ IP addresses and webpage activity.
The Markup reviewed the appointment scheduling webpages of 100 leading hospitals and found the Meta Pixel on 33, according to the report. These hospitals collectively saw over 26 million patient admissions and outpatient visits in 2020, per American Hospital Association survey data cited by the publication.
The group also found the tracker within the password-protected patient portals of seven major health systems, five of which they were able to document sending the personal data of real volunteer patients.
IP addresses, doctor names, appointment times, medication information, search terms, and connections to users’ Facebook accounts were all among the data being collected and sent to the tech company, according to the report, which was co-published with digital publication Stat. There were reportedly no specific contracts or other evidence that patients were providing consent to these data being collected.
Health privacy consultants and advocates cited in the report said they were troubled by the data collection practices but stopped short of definitively declaring the tracker to be a HIPAA violation.
The organization reached out to the hospitals and health systems that had the Meta Pixel on their webpages. As of the time of the report’s publication, seven hospitals and five health systems had removed the Meta Pixel from their webpage after being contacted.
Some reportedly replied to inquiries by referencing safeguards installed by Facebook to filter out sensitive health data prior to transmission. Some of these organizations still removed the tracker from their web pages.
The Markup noted a February investigation from the New York Department of Financial Services reporting the poor accuracy of Facebook’s sensitive data filtering system.
Facebook parent company Meta did not respond to questions from The Markup regarding how the data were being used but referenced its policy to remove potentially sensitive health data via the filtering tool.
Facebook also acknowledges that the Meta Pixel and other tracking tools collect users’ personally identifiable information in its business tools terms of service.