The Gafam are once again pinned for their processing of medical data. After the National Health Service (NHS), the British public health service, which in 2016 allowed DeepMind, a Google subsidiary dedicated to artificial intelligence, to access the personal data of 1.6 million patients without their consent, it is Meta’s turn to find itself in the spotlight. And for good reason, many American hospitals have collected sensitive information on the health of patients before sending them to the parent company of Facebook, according to a study by The Markup, an NGO of investigative journalism which is interested in the impact of technology on society.
By testing the websites of the 100 best American hospitals according to Newsweek, the organization discovered that 33 of them were equipped with the tracker Meta Pixel, a tool for collecting data from the group of Mark Zuckerberg. The latter, which is like a piece of computer code that can be placed on any website, makes it possible to record the identifier of each visitor to a site to follow his path on other sites, to offer them targeted advertisements on Facebook. A common and authorized practice if it does not concern overly sensitive data.
However, with Meta Pixel, the American giant has precisely recovered confidential medical information from American hospitals, such as details on the state of health of patients, their prescriptions, or their appointments with the doctor. As soon as they pressed the button to schedule a medical appointment, that information was sent to Facebook’s parent company via Meta Pixel. The American group could thus have knowledge of the name of the doctor and the pathology that was the subject of this appointment.
It also found Meta Pixel installed inside the password-protected patient-only online portals of several healthcare systems. Enough to allow the Californian firm to recover other sensitive information, such as the names of patients’ medications, details of their allergic reactions and details of their next medical appointments.
Healthcare data security experts and privacy advocates believe that hospitals using Meta Pixel may have violated HIPAA (Health Insurance Portability and Accountability Act). And for good reason, this federal law prohibits hospitals from sharing personally identifiable health information with third parties like Meta, unless the individuals concerned have clearly expressed their consent or contracts provide for such a practice.
However, neither the pinned hospitals nor Meta declared having put in place such contracts, The Markup having found no evidence that the health establishments or the American group had expressly obtained the consent of the patients. There were 33 hospitals that were affected, and it was found that more than 26 million patients and outpatients in 2020 have also been affected Meta and its strange conception of sensitive data Pending possible legal action that could be launched by the American authorities, some hospitals have decided to take the lead after discovering the conclusions of The Markup’s investigation.
Already seven hospitals have removed this system from their booking pages and have also uninstalled it from there patient portals. Although Meta is not subject to HIPAA, the Menlo Park firm launched a system for filtering sensitive health information in the summer of 2020. But according to a survey conducted jointly by The Markup and Reveal, this device did not block information on appointments made by a journalist with crisis centers dedicated to pregnant women.
Reveal and The Markup have also found that 294 websites of these centers, out of 2,500 analyzed, shared information with Meta. In many cases, the information was extremely sensitive, such as whether a person was considering an abortion or seeking a pregnancy test or emergency contraceptives. Not really reassuring for patient.