Facebook Is Receiving Sensitive Medical Information from Hospital Websites (themarkup.org) 92
A tracking tool installed on many hospitals' websites has been collecting patients' sensitive health information -- including details about their medical conditions, prescriptions, and doctor's appointments -- and sending it to Facebook. From a report: The Markup tested the websites of Newsweek's top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor's appointment. The data is connected to an IP address -- an identifier that's like a computer's mailing address and can generally be linked to a specific individual or household -- "creating an intimate receipt of the appointment request for Facebook. The Markup found 33 of Newsweek's top 100 hospitals in the country sending sensitive data to Facebook via the pixel. Data accurate as of June 15, 2022. On the website of University Hospitals Cleveland Medical Center, for example, clicking the "Schedule Online" button on a doctor's page prompted the Meta Pixel to send Facebook the text of the button, the doctor's name, and the search term we used to find her: "pregnancy termination." Clicking the "Schedule Online Now" button for a doctor on the website of Froedtert Hospital, in Wisconsin, prompted the Meta Pixel to send Facebook the text of the button, the doctor's name, and the condition we selected from a dropdown menu: "Alzheimer's."
Land of the free (Score:4)
...collecting of private data.
If that was a foreign country, it would be considered an act of war.
Re:Land of the free (Score:5, Insightful)
In this case it might actually be a violation of HIPAA, since this is actually health care related PII being collected by a health care provider.
Re: (Score:2)
You probably signed away any rights when you checked in.
Re:Land of the free (Score:5, Insightful)
I understand your cynicism, but be aware that you can't sign away the rights granted by law. A hospital can't invalidate HIPAA with a EULA. So this is quite possibly a wide enough violation to result in very expensive class action lawsuits.
Re:Land of the free (Score:4, Interesting)
You absolutely CAN sign a HIPAA waiver of authorization to release your data to "researchers" tho.
https://www.theguardian.com/te... [theguardian.com]
Facebook is a medical researcher.
Re: (Score:1)
Aww, anonymous coward gonna coward.
It is exactly the same thing.
Facebook is a de facto research organization.
They have been approved by hundreds of governments to involve themselves with medical and public health research.
This is 100% acceptable under HIPAA.
You signed the waiver, don't scream at me about it.
Re: (Score:2)
Spare us the details and next time don't be so sloppy.
Re:Land of the free (Score:5, Insightful)
You signed the waiver, don't scream at me about it.
And by not signing the waiver I can not get medical care, is that how it works? Do I have to sign the waiver in order to get anything from that hospital or do I have the option not to sign the waiver and still get my medical care?
If "no waiver, no medical care" then I still believe this should be illegal.
And I also take offence at the "if you use this website you agree to all rules I have written down there where you can not find them and if you find them it is in font size 2 in yellow on a white backgrond" that probably made you believe that "I signed the waiver". You have no signature from me.
Re: (Score:3)
And, I thought, HIPAA requires individual waivers or permissions for each individual you authorize to receive or inquire about your health information for that institution or custodian. Shouldn't also hospitals be required to notify you, specifically, of each entity they will share your data with, and solicit your permission, individually, for each?
No, that's not the law now. It ought to be. Blanket disclosures are no disclosures at all.
Re: (Score:3)
Re: (Score:2, Informative)
There's a difference between releasing for a specific purpose (research, allow insurance to pay the bill, etc.) versus a click-through EULA.
Last time I checked, HIPPA needed a signature, with a date, that was only valid for 12 months from the signed date. I honestly don't think the click-through EULA's going to cover them on this.
I work for a major health ins. company, and prior to that, a large company that handled processing of HIPPA data. Suffice it to say, the data for both companies is/was kept very
Re: (Score:2)
> Either that, or just a lot of naive folks that don't care what they give away so long as they get free stuff.
We got lots of free stuff on the 'net before they sold all this data. Remember those great Apple "choose mac" banner ads circa 2007 (particularly the one where PC hits a button to celebrate)? They weren't collecting my private info to decide whether I got that ad, it just came up in the carousel like any other banner.
It's only now that advertisers are addicted to this data, and solely because th
Re:Land of the free (Score:5, Insightful)
> I work for a major health ins. company, and prior to that, a large company that handled processing of HIPPA data.
You should probably know it's HIPAA, then.
Re: (Score:2)
> I work for a major health ins. company, and prior to that, a large company that handled processing of HIPPA data.
You should probably know it's HIPAA, then.
Sure, but typing is an almost entirely preconscious behavior for most regular computer users. The output of the human brain is unreliable; it loves to fudge shortcuts and reuse previous patterns. Except for the final vowel, English speakers say "hippa" the exact same way they say "hippo". People aren't running around saying "hype ahhh". It's completely understandable and very common that someone who knows H.I.P.A.A very well would still sometimes type "HIPPA" when typing in informal discussion where speed/g
Re:Land of the free (Score:5, Informative)
You absolutely CAN sign a HIPAA waiver of authorization to release your data to "researchers" tho.
Did you actually read that citation?
and
So what your citation shows is that Facebook wanted some data, but they didn't get it, because they couldn't come to an agreement over privacy with "the American College of Cardiology (ACC) and Stanford University School of Medicine." And the expert doesn't see how it could have been legal for them to do so, either. It literally says the opposite of what you want it to say.
Re: Land of the free (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
There won't be a class action under HIPAA, because HIPAA doesn't create a right of private action.
If your medical information has been exposed by this, you can file a complaint here: https://www.hhs.gov/hipaa/fili... [hhs.gov]
But you can't sue, the feds have to.
Re: (Score:1)
Re:Land of the free (Score:5, Insightful)
RTFA. They specifically say that they checked the terms and conditions both on the various medical sites and on Metabook, and neither had a disclaimer letting PII to be sent to Fac-e-book.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: Land of the free (Score:2)
This isn't unique to US hospitals. Pharmacies in Sweden has also been sending data to facebook.
Re: (Score:2)
"In this case it might actually be a violation of HIPAA, since this is actually health care related PII being collected by a health care provider."
The Health Care Provider is liable according to HIPAA, third parties are not.
They have to protect the data.
Re: Liz Warren has a bill that would outlaw this (Score:2)
Like Homer Simpson said (Score:2)
Re: (Score:2)
This is distributed computing (Score:2)
Side effect or deliberate? (Score:2)
Also, the fact that the data is sent to Facebook, doesn't necessarily mean that they store it, abuse it, sell it.
Re: Side effect or deliberate? (Score:4, Insightful)
I can garuntee they store it, they store everything
Re: (Score:2)
Re: (Score:3)
Something like Meta Pixel should not be allowed on these kinds of websites by default. Whoever is contracted to implement and support these websites from now on should be held liable for the violation.
Re: (Score:2)
They absolutely should. If your healthcare provider uses this, report them here: https://www.hhs.gov/hipaa/fili... [hhs.gov]
Re: (Score:2)
It is a bit of both. They develop a tool with the goal of collecting as much data as possible. And if they happen to "catch" some medical data, I guess they do not mind.
Re:doesn't necessarily mean that they store it ??? (Score:2)
Are you from the planet Zuck where he is Emperor for life?
Of course, they will use it, sell it and generally F'k with your life until long after you are pushing up the daisies.
The world as a whole would be a better place if Zuck had never been born.
Re: (Score:2)
Also, the fact that the data is sent to Facebook, doesn't necessarily mean that they store it, abuse it, sell it.
Riiight... Because they implemented their tracking and spying technology for shitz and giggles.
It's not like they have a business that completely relies on storing, abusing and selling the data of internet users.
You're naivety is a miracle of science.
This is why (Score:3)
I use noscript to block Facebook's JavaScript from running on any site but Facebook.
Re:This is why (Score:4, Interesting)
The defaults need to be changed so that all browsers block this without any effort from the user. Mozilla and Google are both moving in that direction, but it's not fast enough.
Re: (Score:2)
It's kind of hard because with certain ad scripts the advertising server is needed for functionality, and so it could break some sites with certian advertisers. But yeah, why the internet users give a free pass to DoubleClick Facebook ect is beyond me
Re: (Score:2)
They have to do so tentatively, lest they be accused of hampering the advertising efforts of competitors, to their own advantage.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Most companies auto block email image downloads, to prevent the scam server from knowing who, when, and if you actually read the email.
Re: (Score:2)
Stupid Microsoft won't on Hotmail I've asked for the future and I still haven't got it you can't even go through your junk mailbox without it downloading images
Not just personal information... (Score:4, Interesting)
This collecting of personal healthcare information is a clear violation of HIPAA. That makes it illegal not just offensive.
Re: (Score:3)
Pretty sure it's probably buried into the HIPAA consent form you agree too when signing up for the web portal.
Firefox (Score:2)
Doesn't Firefox block Facebook tracking by default?
Re:Firefox (Score:4, Informative)
Not really. You should still install the container: https://addons.mozilla.org/en-... [mozilla.org]
Re: (Score:2)
And also Fb Purity, and also Adblock for Facebook. And noscript, and block facebook.net with it.
Wrong target? (Score:2)
Okay, I like to bash invasive trackers as much as the next person, but is it really Meta that's at fault here?
The Pixel only submits information it's configured to collect, and by default, that set is fairly small. To me, it sounds more like the marketers at these medical centers/sites (mis-)configured their tracking to capture way too much data, in the hopes of being able to optimize their placement with it.
So it's not really a case of Meta being evil for me, the same way mass shootings are not the rifle's
Re: (Score:2)
Without rifles there wouldn't be mass shootings.
Without Faecesbook having the infrastructure in place to track everything you do everywhere, there wouldn't be potential illegal information gathering.
Re: (Score:2)
Yes, it's not Meta's fault if hospitals send them PII. The hospitals would be at fault.
I really don't get it (Score:2)
Re: (Score:2)
Is it, though? I don't think F*c*book is a "covered entity".
Re: (Score:3)
He's smart in certain ways. He's also really really stupid and clueless in a lot of other ways.
This is fairly normal for people that are very close to being autistic, I know this from experience :P
And frankly, yes, a lot of this is "his fault" if for nothing else than he's responsible for it, and decides to ignore all the warnings and issues, despite plenty of people telling him how his company is fucking up.
As the de-facto sole owner of the company, he's 100% responsible.
Over-reacting!!! (Score:5, Insightful)
You don't need to worry. There is no way Facebook would sell data to, say, Oklahoma or Texas about your appointment in another state with an abortion provider. Just to give one very specific example of what would never, ever happen. Never.
The same thing is true for your kids' data. No way they would store that information, blaming it on a system that was “not yet operating with complete accuracy,” and then sell that data. Accidentally. Everybody makes mistakes, but not Facebook!
Also inadvertently leaking appointment data that might be used by abusers to find their victims? Simply impossible. Computers are super-duper secure, dummy.
Re: (Score:3)
They don't need to sell it (Score:1)
Re: (Score:3)
a prosecutor will subpoena the data and use it to convict the women, sentencing her to life in jail for Murder 1.
Subpoenas come with a bunch of irritating, time-consuming legal process and scrutiny. Prosecutors (or, for that matter, concerned citizens) can skip all that by just buying the data.
Hilarious non-answers from some hospitals (Score:1)
My favourite one (Score:4, Interesting)
My favourite one is from Houston Methodist Hospital, in Texas, which responded that they are "confident" in Facebook’s safeguards. When the researchers showed them that the meta pixel send your search ("Home abortion") in the example, along with the “Schedule Appointment” button being pressed, along with the name of the doctor, the Hospital representative replied more hilariously, that they don't consider it protected health information as “The click doesn’t mean they scheduled” and “It’s also worth noting that people often are exploring for a spouse, friend, elderly parent.”.
So, as long as you mix in some false data along with the protected health data, it's no longer protected health data!
And the last gem from that same hospital:
Asin added that Houston Methodist believes Facebook “uses tools to detect and reject any health information, providing a barrier that prevents passage of [protected health information].”
Drinking the koolaid!
Google gets some of the same information (Score:2)
Many, many web sites contain links to google-analytics, google fonts, use jQuery from Google CDN, etc. Google sees the referer information on the requests and can track where a user goes. The referer information includes contents of GET forms which tells google even more about what we are doing. I would be very surprised if this is not analysed by google.
Re: (Score:2)
Google Analytics don't work with a pixel gathering all of your click data, though. They use a script that's easily blocked. Doubleclick on the other hand ...
And people think they can avoid Facebook (Score:3)
Re: (Score:2)
by deleting their account or not registering in the first place. <laughs>
Exactly. I've never had a Facebook account, but I assume they have an extensive shadow profile [wikipedia.org] on me.
To IP or not to IP that is the quetion. (Score:2)
The data is connected to an IP address -- an identifier that's like a computer's mailing address and can generally be linked to a specific individual or household -- "creating an intimate receipt of the appointment request for Facebook
Good enough of an association for a Facebook privacy story, but not good enough to catch someone pirating a movie, or music (it wasn't me said the guilty one).
Meta Pixel (Score:2)
Official Statement (Score:3)
It's not happening everywhere, at least (Score:1)
Gotta post AC. I just recently got a job working for a hospital here in the US. I am delighted to tell you all, this would not happen at the hospital where I work. A facebook resource being referenced by one our pages would be an extreme nono. It's not just that our techies wouldn't do it; it's that it would be explicitly against the rules. I could, theoretically, get fired for doing that. Thank goodness.
It's disappointing to hear this isn't the case at all hospitals. But cheer up; there really are some goo
Re: (Score:2)
Not sure whether the health plan I'm in does the FB thing. Will check next time I use them. But they do have a ton of outside connections even when you're logged in. IMO that should not happen - it's impossible to control what all those Other Companies do, contractually or otherwise. Just dumb. But profitable. Duh?
Why the FUCK isn't someone in jail over this? (Score:2)
Also how the actual FUCK are medical organizations participating in bullshit like this?
The Mother of all HIPAA Lawsuits... (Score:2)
... is likely to be in Meta's future. A class action lawsuit with members potentially numbering in the millions.
On what planet would collecting this information be deemed legal? HIPAA has been around since the mid-'90s. It's not like this could have been any kind of surprise to Meta's/Facebook's developers and management. Back when I went through HIPAA training and we developed the policies at the healthcare organization I was working for at the time, there had been a lot of discussion about a significant
Re: (Score:2)
I truly hate (Score:2)
Facebook is not alone (Score:2)
Anyone using MyChart also feeds a ton of information back to Google via its beloved (/s) AdSense/Google Tag network. I do run application firewalls to block advertisements, including these domains. Unless I remove the Google domains, I cannot open any private messages to/from my doctors. Why, I do not know. I too believed I had medical privacy and HIPAA was a thing (at least when I am building medical products, we respect them), but in the end I am just another product waiting to be sold for even higher pro
Add Big Data (Score:2)
This tells Facebook how many times a specific doctor provides a specific service. It sounds innocent but Big Data is able to de-anonymize the history of a specific person. The 'permanent record' meme is becoming a reality.
And, no one was shocked... (Score:1)
The question is, will government finally have the guts to do something about it?
Something meaningful, too. Not just a $100M or $200M fine. I mean seizing all of Zuckerfucker's assets, just like the West is doing with the Russian sociopaths.
I won't hold my breath.