A tracking tool on approximately one third of hospital websites in the United States has sent private patient information to Facebook, based on an investigative report jointly published by STAT and The Markup.
The tracker, known as Meta Pixel, was identified in online appointment schedule features in 33 of Newsweek’s top 100 hospitals in America; in 7 of these hospitals, the tracker also was linked to the hospital’s patient portal feature. Most patient portals include details such as test results, medications, allergic reactions, and upcoming appointments.
Meta Pixel is a small piece of computer code that tracks users’ activities on a website, including which pages they select, which buttons they click, and what information they enter in online forms. Meta Pixel exists in more than 30% of websites overall, not just those of hospitals, according to The Markup report.
In exchange for installing the Meta Pixel, website owners have access to analytics about their users, along with tools to target ads on Facebook and Instagram to website users.
The Markup researchers explained that the Meta Pixel routes personal information to Facebook by way of scripts running in your internet browser. Each data packet, such as online appointment scheduling, is connected to an IP address that is linked to an individual or household, and Facebook receives a receipt of the appointment request based on that IP address.
The Markup report included data from an ongoing project involving patient accounts created by reporters and volunteers from Mozilla Rally. In one example, when an individual clicked to finish booking an appointment on a doctor’s page at one of the hospitals, “the pixel sent Facebook not just the name of the doctor and her field of medicine but also the first name, last name, email address, phone number, zip code, and city of residence we entered into the booking form,” the authors reported.
“In addition, if a patient is logged in to Facebook when they visit a hospital’s website where a Meta Pixel is installed, some browsers will attach third-party cookies — another tracking mechanism — that allow Meta to link pixel data to specific Facebook accounts,” the authors wrote.
According to the authors, HIPAA includes IP addresses as one of its identifiers that can qualify as protected health information, which cannot be shared by hospitals except under restricted business agreements.
Several hospitals, but not all of those contacted, responded to The Markup’s request for comment, as follows:
“The security of our patients’ health information is a top priority. None of our protected patient health information is disclosed through this pixel,” said Lauren Zakalik, director of public and media relations strategy at Henry Ford Hospital, Detroit, Michigan.
“Since our further examination of the topic is ongoing, we elected to remove the pixel for now to be sure we are doing everything we can to protect our patients’ privacy while we are evaluating,” said Stefanie Asin, director of communications, public relations, and creative services, Houston Methodist Hospital, Houston, Texas.
“The use of this type of code was vetted and is referenced in NM.org’s Terms and Conditions,” said Christopher King, chief media relations executive for Northwestern Memorial Hospital, Chicago, Illinois.
Notably, the Meta Pixel terms of service state that the pixel collects personal information for various purposes, according to The Markup reporting team.
The report was limited by the inclusion only of 100 hospitals; “the data sharing likely affects many more patients and institutions than we identified,” the authors wrote.
As part of the current report and continuing investigation into medical data sharing, The Markup investigative team is conducting a crowd-sourced project with Mozilla Rally to document how Meta Pixel sends patient data to Facebook. This project is ongoing through mid-July.
The Markup authors had no financial conflicts to disclose.
The Markup/STAT. Published online June 16, 2022. Article
Heidi Splete is a freelance medical journalist with 20 years of experience.