A “Creepy, Problematic, and Potentially illegal” Problem.
Well…that might not be the case based on discoveries from a recent study conducted by The Markup, a nonprofit newsroom that investigates “how powerful institutions are using technology to change our society.”
The study looked at Newsweek’s top 100 hospitals in America. On one-third of the websites, researchers found a Facebook tracker, called the Meta Pixel, sending Facebook highly personal healthcare data whenever the user clicked the “schedule appointment” button. Because the data is connected to an IP address, the IP address and the appointment information gets delivered to Facebook.
So, Facebook Knows the Day and Time I Am Going to the Doctor. What’s the Big Deal?
Well, for starters, it’s not just the day and time being sent in trackers like these. In the case of this study, researchers found that web trackers sent Facebook the following information, depending on how the tracker was structured on the webpage:
- Doctor’s name
- Search term used to find the doctor’s name
- Health conditions selected from drop down menus (e.g., pregnancy or Alzheimers)
Researchers also discovered the Facebook Meta Pixel tracker installed inside password-protected patient portals. Data collection from the private patient portals included:
- Patient medication names
- Descriptions of allergic reactions
- Details about upcoming doctor’s appointments.
In addition, the Meta Pixel data packets include the user’s IP address that can be used, in combination with other user data, to identify the individual or household. The Healthcare Insurance Portability and Accountability Act (HIPAA) lists IP address as one of the identifiers (along with things like name and address) that when linked to information about a person’s health condition, qualifies as protected health information (PHI).
Web Trackers & Security: These Healthcare Providers Are Likely Violating HIPAA (with Facebook’s Help)
Experts in big data and healthcare describe the prevalence of web trackers capturing sensitive patient information as a “creepy, problematic, and potentially illegal” security problem. Researchers in this study consulted health data security experts, former health regulators, and privacy advocates, all of whom believed that the hospitals in question likely violated HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information (known as PHI) from being disclosed without the individual patient’s consent or knowledge. According to regulations, PHI may only be shared when the patient has provided advance consent or under the terms of certain contracts. It seems that neither the hospitals nor Facebook (Meta) had such contracts in place, suggesting that hospitals were releasing and Facebook was capturing this information without patient consent.
A spokesperson from Facebook’s parent company, Meta responded to the researchers with a brief email claiming that Meta’s systems are designed to filter potentially sensitive health information which may be submitted in error through the use of their business tools. However, an investigation in 2021 found that the Meta filtering system was “not yet operating with complete accuracy.” A subsequent investigation by researchers at The Markup discovered that Meta’s health information filtering system did not, in fact, block information related to health conditions and appointment types (e.g., pregnancy or Alzheimers).
Internal Facebook employees have been more candid about the efficacy of the company’s sensitive information filtering tools. According to a 2021 leaked statement from one Facebook engineer, “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’”
What Are Web Trackers?
Web trackers, like ‘Meta Pixel,” use code to track users’ online activity, as they navigate a website or as part of web browser activities. Tracking includes the buttons the user clicks, the information they type into forms, and the pages on the site they visit.
It’s important to note that Meta Pixel isn’t the only web tracker out there. In addition to cookies, web beacons, fingerprinters (browser fingerprinting), super cookies, embedded scripts, and cross-site trackers are other types of web trackers. Many companies use trackers for targeted ads and social media, including Twitter, Google, Facebook, Amazon, AppNexus, and ComScore. While many trackers are used just for advertising purposes, others are used to track behavior and user analytics.
The long and short answers are both yes. First and foremost, improperly used web trackers could result in significant regulatory violations, including HIPAA, General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and others. Penalties for compliance violations include fines and reputation damage.
Even more concerning, a recent study conducted by several researchers from Radboud University and the University of Lausanne found that thousands of websites among the world’s top 100,000 were leaking information entered into site forms. This information included “personal identifiers, email addresses, usernames, passwords, or even messages entered into forms and then deleted and never actually submitted.” While the trackers themselves were only intended to monitor end user activity or determine anonymous user preferences, because tracker code was embedded near areas that collected sensitive data, both the user activity and the sensitive information were ultimately sent to third parties. This presents serious privacy and security issues, since no one wants their user name and password data leaked to employees working at third-party advertisers.
How Can Businesses Improve Web Tracker Security?