- Jul 27, 2015
A tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook.
The Markup tested the websites of Newsweek’s top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook. On the website of University Hospitals Cleveland Medical Center, for example, clicking the “Schedule Online” button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: “pregnancy termination.” Clicking the “Schedule Online Now” button for a doctor on the website of Froedtert Hospital, in Wisconsin, prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the condition we selected from a dropdown menu: “Alzheimer’s.”
“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it,” said David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA. “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”
University Hospitals Cleveland Medical Center spokesperson George Stamatis did not respond to The Markup’s questions but said in a brief statement that the hospital “comport with all applicable federal and state laws and regulatory requirements.” After reviewing The Markup’s findings, Froedtert Hospital removed the Meta Pixel from its website “out of an abundance of caution,” Steve Schooff, a spokesperson for the hospital, wrote in a statement. As of June 15, six other hospitals had also removed pixels from their appointment booking pages and at least five of the seven health systems that had Meta Pixels installed in their patient portals had removed those pixels. The 33 hospitals The Markup found sending patient appointment details to Facebook collectively reported more than 26 million patient admissions and outpatient visits in 2020, according to the most recent data available from the American Hospital Association. Our investigation was limited to just over 100 hospitals; the data sharing likely affects many more patients and institutions than we identified.
Facebook is receiving sensitive medical information from hospital websites
Ad-tracking by some hospitals may violate federal law protecting health data.