Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Facebook Privacy Technology

Facebook Is Receiving Sensitive Medical Information from Hospital Websites (themarkup.org) 92

A tracking tool installed on many hospitals' websites has been collecting patients' sensitive health information -- including details about their medical conditions, prescriptions, and doctor's appointments -- and sending it to Facebook. From a report: The Markup tested the websites of Newsweek's top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor's appointment. The data is connected to an IP address -- an identifier that's like a computer's mailing address and can generally be linked to a specific individual or household -- "creating an intimate receipt of the appointment request for Facebook. The Markup found 33 of Newsweek's top 100 hospitals in the country sending sensitive data to Facebook via the pixel. Data accurate as of June 15, 2022. On the website of University Hospitals Cleveland Medical Center, for example, clicking the "Schedule Online" button on a doctor's page prompted the Meta Pixel to send Facebook the text of the button, the doctor's name, and the search term we used to find her: "pregnancy termination." Clicking the "Schedule Online Now" button for a doctor on the website of Froedtert Hospital, in Wisconsin, prompted the Meta Pixel to send Facebook the text of the button, the doctor's name, and the condition we selected from a dropdown menu: "Alzheimer's."
This discussion has been archived. No new comments can be posted.

Facebook Is Receiving Sensitive Medical Information from Hospital Websites

Comments Filter:
  • by nospam007 ( 722110 ) * on Thursday June 16, 2022 @07:44AM (#62624592)

    ...collecting of private data.

    If that was a foreign country, it would be considered an act of war.

    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday June 16, 2022 @07:53AM (#62624604) Homepage Journal

      In this case it might actually be a violation of HIPAA, since this is actually health care related PII being collected by a health care provider.

      • by dada21 ( 163177 )

        You probably signed away any rights when you checked in.

        • by The Raven ( 30575 ) on Thursday June 16, 2022 @08:18AM (#62624706) Homepage

          I understand your cynicism, but be aware that you can't sign away the rights granted by law. A hospital can't invalidate HIPAA with a EULA. So this is quite possibly a wide enough violation to result in very expensive class action lawsuits.

          • Re:Land of the free (Score:4, Interesting)

            by dada21 ( 163177 ) <adam.dada@gmail.com> on Thursday June 16, 2022 @08:20AM (#62624718) Homepage Journal

            You absolutely CAN sign a HIPAA waiver of authorization to release your data to "researchers" tho.

            https://www.theguardian.com/te... [theguardian.com]

            Facebook is a medical researcher.

            • Re: (Score:2, Informative)

              by Anonymous Coward

              There's a difference between releasing for a specific purpose (research, allow insurance to pay the bill, etc.) versus a click-through EULA.

              Last time I checked, HIPPA needed a signature, with a date, that was only valid for 12 months from the signed date. I honestly don't think the click-through EULA's going to cover them on this.

              I work for a major health ins. company, and prior to that, a large company that handled processing of HIPPA data. Suffice it to say, the data for both companies is/was kept very

              • > Either that, or just a lot of naive folks that don't care what they give away so long as they get free stuff.

                We got lots of free stuff on the 'net before they sold all this data. Remember those great Apple "choose mac" banner ads circa 2007 (particularly the one where PC hits a button to celebrate)? They weren't collecting my private info to decide whether I got that ad, it just came up in the carousel like any other banner.

                It's only now that advertisers are addicted to this data, and solely because th

              • by SecurityGuy ( 217807 ) on Thursday June 16, 2022 @09:37AM (#62624946)

                > I work for a major health ins. company, and prior to that, a large company that handled processing of HIPPA data.

                You should probably know it's HIPAA, then.

                • > I work for a major health ins. company, and prior to that, a large company that handled processing of HIPPA data.

                  You should probably know it's HIPAA, then.

                  Sure, but typing is an almost entirely preconscious behavior for most regular computer users. The output of the human brain is unreliable; it loves to fudge shortcuts and reuse previous patterns. Except for the final vowel, English speakers say "hippa" the exact same way they say "hippo". People aren't running around saying "hype ahhh". It's completely understandable and very common that someone who knows H.I.P.A.A very well would still sometimes type "HIPPA" when typing in informal discussion where speed/g

            • Re:Land of the free (Score:5, Informative)

              by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday June 16, 2022 @09:50AM (#62625002) Homepage Journal

              You absolutely CAN sign a HIPAA waiver of authorization to release your data to "researchers" tho.

              Did you actually read that citation?

              âoeIf they were sharing information that was being linked, itâ(TM)s not clear how they would have done that under Hipaa,â Jodi Daniel, who helped draft the original Hipaa privacy and enforcement rules, told the Guardian.

              and

              Michael Valentine, ACC president, said discussions with Facebook were on hold and the group had not yet shared data because of the health groupâ(TM)s commitment to privacy.

              So what your citation shows is that Facebook wanted some data, but they didn't get it, because they couldn't come to an agreement over privacy with "the American College of Cardiology (ACC) and Stanford University School of Medicine." And the expert doesn't see how it could have been legal for them to do so, either. It literally says the opposite of what you want it to say.

            • It is very important that Facebook knows when your adult diapers are about to run out.
            • by Holi ( 250190 )
              They better have a signed waiver.
            • by Holi ( 250190 )
              But you have to sign a waiver. Not some click though accept our policies to use our site type crap. HIPPA Waivers require documented Institutional Review Board (IRB) or Privacy Board Approval.
          • There won't be a class action under HIPAA, because HIPAA doesn't create a right of private action.

            If your medical information has been exposed by this, you can file a complaint here: https://www.hhs.gov/hipaa/fili... [hhs.gov]

            But you can't sue, the feds have to.

        • by Barny ( 103770 ) on Thursday June 16, 2022 @08:39AM (#62624786) Journal

          RTFA. They specifically say that they checked the terms and conditions both on the various medical sites and on Metabook, and neither had a disclaimer letting PII to be sent to Fac-e-book.

      • This isn't unique to US hospitals. Pharmacies in Sweden has also been sending data to facebook.

      • "In this case it might actually be a violation of HIPAA, since this is actually health care related PII being collected by a health care provider."

        The Health Care Provider is liable according to HIPAA, third parties are not.
        They have to protect the data.

  • Lots of third party widgets and libraries also do the same thing. Let's not forget about fonts too. Having performed countless privacy and security audits this is one of the most common fails encountered. That or an entity wants to use software accessible via the internet hosted in a foreign country. Guess what that data is fair game to anyone that bothers to take it.
  • So, does this 'just happen' as part of generic tracking on arbitrary websites, or does Meta actively develop a tracker with this specific goal in mind?

    Also, the fact that the data is sent to Facebook, doesn't necessarily mean that they store it, abuse it, sell it.
  • by wakeboarder ( 2695839 ) on Thursday June 16, 2022 @08:02AM (#62624632)

    I use noscript to block Facebook's JavaScript from running on any site but Facebook.

    • Re:This is why (Score:4, Interesting)

      by AmiMoJo ( 196126 ) on Thursday June 16, 2022 @08:22AM (#62624722) Homepage Journal

      The defaults need to be changed so that all browsers block this without any effort from the user. Mozilla and Google are both moving in that direction, but it's not fast enough.

      • It's kind of hard because with certain ad scripts the advertising server is needed for functionality, and so it could break some sites with certian advertisers. But yeah, why the internet users give a free pass to DoubleClick Facebook ect is beyond me

      • They have to do so tentatively, lest they be accused of hampering the advertising efforts of competitors, to their own advantage.

      • Mozilla moved away from it. It used to be very easy to block third-party images in Firefox, but they dropped that feature long ago.
  • by haggie ( 957598 ) on Thursday June 16, 2022 @08:07AM (#62624664)

    This collecting of personal healthcare information is a clear violation of HIPAA. That makes it illegal not just offensive.

    • Pretty sure it's probably buried into the HIPAA consent form you agree too when signing up for the web portal.

  • Doesn't Firefox block Facebook tracking by default?

  • Okay, I like to bash invasive trackers as much as the next person, but is it really Meta that's at fault here?

    The Pixel only submits information it's configured to collect, and by default, that set is fairly small. To me, it sounds more like the marketers at these medical centers/sites (mis-)configured their tracking to capture way too much data, in the hopes of being able to optimize their placement with it.

    So it's not really a case of Meta being evil for me, the same way mass shootings are not the rifle's

    • by splutty ( 43475 )

      Without rifles there wouldn't be mass shootings.

      Without Faecesbook having the infrastructure in place to track everything you do everywhere, there wouldn't be potential illegal information gathering.

    • Yes, it's not Meta's fault if hospitals send them PII. The hospitals would be at fault.

  • Mark is clearly a smart guy... but is he really trying everything to get arrested and prosecuted for felonies? Stealing any other kind of data is just a crime, but health data is rigidly protected by HIPPA. The more scandals I see about FB, the more I've come to disrespect the guy.
    • by splutty ( 43475 )

      He's smart in certain ways. He's also really really stupid and clueless in a lot of other ways.

      This is fairly normal for people that are very close to being autistic, I know this from experience :P

      And frankly, yes, a lot of this is "his fault" if for nothing else than he's responsible for it, and decides to ignore all the warnings and issues, despite plenty of people telling him how his company is fucking up.

      As the de-facto sole owner of the company, he's 100% responsible.

  • Over-reacting!!! (Score:5, Insightful)

    by archatheist ( 316491 ) on Thursday June 16, 2022 @09:01AM (#62624860)

    You don't need to worry. There is no way Facebook would sell data to, say, Oklahoma or Texas about your appointment in another state with an abortion provider. Just to give one very specific example of what would never, ever happen. Never.

    The same thing is true for your kids' data. No way they would store that information, blaming it on a system that was “not yet operating with complete accuracy,” and then sell that data. Accidentally. Everybody makes mistakes, but not Facebook!

    Also inadvertently leaking appointment data that might be used by abusers to find their victims? Simply impossible. Computers are super-duper secure, dummy.

    • They would also never sell your data to small businesses screening job applicants who might be pregnant or have health issues requiring expensive or time consuming care, as another specific example.
    • a prosecutor will subpoena the data and use it to convict the women, sentencing her to life in jail for Murder 1.
      • by njvack ( 646524 )

        a prosecutor will subpoena the data and use it to convict the women, sentencing her to life in jail for Murder 1.

        Subpoenas come with a bunch of irritating, time-consuming legal process and scrutiny. Prosecutors (or, for that matter, concerned citizens) can skip all that by just buying the data.

  • by Anonymous Coward
    Many hospitals replied to The Markup that they have temporarily disabled the feature. Others provided hilarious non-answers...Northwestern Memorial Hospital: “The use of this type of code was vetted and is referenced in NM.org’s Terms and Conditions.” Sharp Memorial Hospital: “After reviewing your questions and looking into the matter, Sharp HealthCare has confirmed that we are not sending any personal identifiable information, including IP addresses, to Facebook.” https://www [documentcloud.org]
    • My favourite one (Score:4, Interesting)

      by Ecuador ( 740021 ) on Thursday June 16, 2022 @09:41AM (#62624970) Homepage

      My favourite one is from Houston Methodist Hospital, in Texas, which responded that they are "confident" in Facebook’s safeguards. When the researchers showed them that the meta pixel send your search ("Home abortion") in the example, along with the “Schedule Appointment” button being pressed, along with the name of the doctor, the Hospital representative replied more hilariously, that they don't consider it protected health information as “The click doesn’t mean they scheduled” and “It’s also worth noting that people often are exploring for a spouse, friend, elderly parent.”.
      So, as long as you mix in some false data along with the protected health data, it's no longer protected health data!
      And the last gem from that same hospital:

      Asin added that Houston Methodist believes Facebook “uses tools to detect and reject any health information, providing a barrier that prevents passage of [protected health information].”

      Drinking the koolaid!

  • Many, many web sites contain links to google-analytics, google fonts, use jQuery from Google CDN, etc. Google sees the referer information on the requests and can track where a user goes. The referer information includes contents of GET forms which tells google even more about what we are doing. I would be very surprised if this is not analysed by google.

    • Google Analytics don't work with a pixel gathering all of your click data, though. They use a script that's easily blocked. Doubleclick on the other hand ...

  • by ayesnymous ( 3665205 ) on Thursday June 16, 2022 @09:52AM (#62625010)
    by deleting their account or not registering in the first place. <laughs>
    • by deleting their account or not registering in the first place. <laughs>

      Exactly. I've never had a Facebook account, but I assume they have an extensive shadow profile [wikipedia.org] on me.

  • The data is connected to an IP address -- an identifier that's like a computer's mailing address and can generally be linked to a specific individual or household -- "creating an intimate receipt of the appointment request for Facebook

    Good enough of an association for a Facebook privacy story, but not good enough to catch someone pirating a movie, or music (it wasn't me said the guilty one).

  • I thought Google makes the Pixel.
  • by cpurdy ( 4838085 ) on Thursday June 16, 2022 @10:03AM (#62625054)
    Statement from Mark Zuckernerd:

    There is nothing to see here. Facebook has a mission to connect humanity.
    Move along, now. (We have elections to overthrow for profit, and genocides to coordinate.)

  • by Anonymous Coward

    Gotta post AC. I just recently got a job working for a hospital here in the US. I am delighted to tell you all, this would not happen at the hospital where I work. A facebook resource being referenced by one our pages would be an extreme nono. It's not just that our techies wouldn't do it; it's that it would be explicitly against the rules. I could, theoretically, get fired for doing that. Thank goodness.

    It's disappointing to hear this isn't the case at all hospitals. But cheer up; there really are some goo

    • Not sure whether the health plan I'm in does the FB thing. Will check next time I use them. But they do have a ton of outside connections even when you're logged in. IMO that should not happen - it's impossible to control what all those Other Companies do, contractually or otherwise. Just dumb. But profitable. Duh?

  • Seriously. How much more egregious and blatant does shit like this have to be, before there are warrants, arrests, and charges filed?
    Also how the actual FUCK are medical organizations participating in bullshit like this?
  • ... is likely to be in Meta's future. A class action lawsuit with members potentially numbering in the millions.

    On what planet would collecting this information be deemed legal? HIPAA has been around since the mid-'90s. It's not like this could have been any kind of surprise to Meta's/Facebook's developers and management. Back when I went through HIPAA training and we developed the policies at the healthcare organization I was working for at the time, there had been a lot of discussion about a significant

    • Maybe if the doctor was sending that information to Meta. However, as the functionality currently exists, you are selecting and sending the information to Meta. None of the information the MetaPixel is collecting has come from your patient records, but has all come from what you've provided to the browser session. That you're choosing to share this information will be covered by the terms of service of both Meta and the site you're visiting (whichever it may be - in this investigation, they're looking at he
  • I truly hate Zuckerberg and others like him. Scum of the fucking Earth. Hate is such a strong word but completely appropriate for these asshats.
  • Anyone using MyChart also feeds a ton of information back to Google via its beloved (/s) AdSense/Google Tag network. I do run application firewalls to block advertisements, including these domains. Unless I remove the Google domains, I cannot open any private messages to/from my doctors. Why, I do not know. I too believed I had medical privacy and HIPAA was a thing (at least when I am building medical products, we respect them), but in the end I am just another product waiting to be sold for even higher pro

  • ... search term we used to find her: "pregnancy termination."

    This tells Facebook how many times a specific doctor provides a specific service. It sounds innocent but Big Data is able to de-anonymize the history of a specific person. The 'permanent record' meme is becoming a reality.

  • I don't think anyone is shocked to hear another example of what a bunch of greedy sociopaths the Zuckerfuckers are.

    The question is, will government finally have the guts to do something about it?

    Something meaningful, too. Not just a $100M or $200M fine. I mean seizing all of Zuckerfucker's assets, just like the West is doing with the Russian sociopaths.

    I won't hold my breath.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...