Privacy, Data Security

In letter to Zuckerberg, senator seeks clarity on how Facebook collects health information

Mark Zuckerberg testifies remotely at a Senate hearing
Facebook CEO Mark Zuckerberg testifies remotely as U.S. Sen. John Kennedy, R-La., listens during a Senate Judiciary Committee hearing on Nov. 17, 2020, in Washington. (Photo by Hannah McKay/Pool via Getty Images)

Following Advocate Aurora Health’s notice to 3 million patients of privacy violations due to its use of Facebook’s Pixel on its patient portal and applications, Sen. Mark Warner, D-Va., sent a letter to Meta CEO Mark Zuckerberg seeking information into the company’s practice of collecting consumer health information through its tracking tool.

Warner asks: “Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?”

The senator’s letter follows a WakeMed notification to 495,000 of its patients informing them of the impermissible disclosure of their information to third parties due to its use of Pixels. Novant Health ACE released a similar notice just one month after multiple reports revealed that hospital websites using Pixel were inadvertently sharing patient data with the social media giant.

The scraped data shared with Facebook included medical conditions, reasons for the appointment, provider names, contact details, IPs, and information into the appointments. Some users have even shared that they've been targeted by advertisements on Meta platforms.

The Meta Pixel is installed on an estimated 33 out of the 100 hospitals in the U.S., as well as patient portals used by seven health systems, which means the public may see more of these patient notifications into the foreseeable future.

Parent company Meta is currently defending itself from multiple consumer-led lawsuits over these allegations.

Warner, a staunch advocate for consumer privacy and cybersecurity, “is troubled by the recent revelations,” and his letter demands transparency into these practices given its violation of patient privacy — and the lack of user consent into these practices.

The “last two years have shown us the importance of health care technology, with many relying on electronic health records, online appointment booking, and virtual patient portals to receive care during the pandemic,” Warner wrote. As healthcare increasingly moves online, strong safeguards are paramount for these platforms to protect sensitive health information.

Referencing past issues with Pixel and its use on the Free Application for Federal Student Aid website and a report from the New York State Department of Financial Services that found similar data scraping practices, Warner fears “these continuing privacy violations and harmful uses of health data could become the new status quo in health care and public health.”

What’s more, it appears Meta is violating its own business guidelines by enabling its tool to obtain personal data. As the senator observed, the policy states the company doesn’t “want websites or apps sending [Meta] sensitive information about people.”

“Yet, in this most recent case and as we have seen previously, Meta is continuing to access this highly sensitive information,” Warner noted. “How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?”

Zuckerburg is asked to promptly provide Warner with information into the precise information Meta previously and currently has access to or receives directly from Pixel, as well as how it stores the information it receives through the tool. Warner also wants to understand how it’s protecting the health information it receives, “particularly with third-party vendors.”

Warner also wants to know what Meta has done in the wake of the damning reports into the Pixel data scraping, as well as the report from the NYDFS that showed Meta’s “filtering system was ‘not yet operating with complete accuracy.”

In short, Zuckerberg needs to explain how the company has improved the effectiveness of its filtering system, in addition to the testing and evaluation used to determine the ability to identify sensitive health information. Lastly, the senator wants to know whether the data Meta has received from Pixel has indeed been used to inform targeted advertisements on its platforms.

“It is critical that technology companies like Meta take seriously their role in protecting user health data,” Warner concluded.

Reports show the North Carolina Attorney General has launched its own investigation into these dubious practices.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.