Meta is always watching you

A tool installed on many US hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook.

The Markup, a newsroom that investigates Big Tech, tested the websites of Newsweek’s top 100 hospitals in America. It found that 33 of them had Meta Pixel, a tracker that sends Facebook a packet of data whenever a person clicks a button to schedule a doctor’s appointment.

Meta hits its targets

The Meta Pixel is a snippet of code that tracks users as they navigate a website, logging which pages they visit, which buttons they click, and certain information they enter into forms. It’s one of the most prolific tracking tools on the internet—present on more than 30% of the most popular sites on the web, according to The Markup’s analysis.

In exchange for installing its Pixel, Meta provides website owners analytics about the ads they’ve placed on Facebook and Instagram and tools to target people who’ve visited their website.

The Meta Pixel sends information to Facebook via scripts running in a person’s internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household. 

Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts. 

Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.

After reviewing The Markup’s findings, Froedtert Hospital removed the Meta Pixel from its website “out of an abundance of caution,” Steve Schooff, a spokesperson for the hospital, wrote in a statement.

As of June 15, six other hospitals had also removed Meta Pixel from their appointment booking pages and at least five of the seven health systems that had Meta Pixels installed in their patient portals had removed those pixels.

The 33 hospitals that The Markup found sending patient appointment details to Facebook collectively reported more than 26 million patient admissions and outpatient visits in 2020, according to the most recent data available from the American Hospital Association. “Our investigation was limited to just over 100 hospitals, the data sharing likely affects many more patients and institutions than we identified,” The Markup shared. 

Facebook itself is not subject to the HIPAA, but experts expressed concerns about how the advertising giant might use the personal health data it’s collecting for its own profit.

A little too easy

Meta makes Pixel available and free of charge to businesses to embed in their sites. Pixel collects and sends site visitor data to Meta, and Meta can match this to a user’s profile on Facebook or Instagram, giving it much more insight into that user. There are also cases where Meta collects data about people who don’t even have Facebook or Instagram accounts. 

Some data, like a visitor’s IP address, is collected by Meta automatically. But developers can also set up Pixel to track what it calls events or various actions users take on the site. That may include links they click on or responses in forms they fill out, and it helps businesses better understand users or focus on specific behaviors or actions.

All this data can then be used to target ads at those people, or to create what’s known as “lookalike audiences.” This involves a business asking Meta to send ads to people who Meta believes are similar to its existing customers. The more data Meta gets from businesses through those trackers, the better it should be able to target ads. Meta may also use that data to improve its own products and services, and businesses may use Pixel data for analytics to improve their products and services as well.

It’s a known fact, Meta has played an instrumental role in building the privacy-free, data-leaking online world we must navigate today. The tech giant offers a tracking system designed to suck up data from millions of sites and spin it into advertising gold, and it knows very well that there are many cases where the tool was implemented poorly at best and abused at worst.  

Are there any “safe spaces” on the internet anymore?