What website you browse? What you search on Google? Where you go? They have all of that data and more, and many people think it doesn't matter. So what if they find out I spend hours on the ESPN Fantasy Sports site every day? So what if they find out I asked Google how to dream better dreams? So what if my friends learned I lied when i said I was 3 blocks away? So what?
That's only the data you know they have on you. What else do they have?
Your personal health data are out there, too.
That has been revealed by this recent article about hospitals sending your private health information to Facebook (link).
Are you one of those who love the convenience of doing everything online? Make appointments online? Fill out digital forms? Anything to avoid human-to-human interaction?
Well, the hospitals are letting Facebook place a "Meta Pixel" on the hospital's pages. It not only knows you are on those pages, it captures everything you do, including the information you enter onto the forms. On some of these websites, when you make an appointment with your doctor, Facebook gets notified who you are, who your doctor is, and the reason for your visit. In one case, the investigators observed that Facebook was sent a patient's medication, dosage, and doctor's notes about the medication. In another case, the investigators found that Facebook was sent the search terms used by the patient to find the doctor.
Imagine generously that Facebook is using this data purely to benefit you. Let's say, Facebook obtains the prices you pay for your drugs to alert you that you're being scammed. If Facebook tells you that's what they are doing, would you happily sign up for this benefit?
When much of this data collection happens without notifying patients, it creates the impression that Facebook has something to hide.
Perhaps they do. The advertisers to whom Facebook answers aren't interested in spending money with Facebook in order to reduce their future revenues by lowering our prices. It's always more likely that the algorithms are finding ways to increase revenues, which happens if we pay higher prices or if we buy more than the usual amount.
***
As usual, Facebook's PR team makes things worse by issuing this pathetic excuse:
“If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems,”
This statement suggests that Facebook is the victim of some pointless exercise by those hospitals to give Facebook patient data without being asked. It suggests that data magically flow from one place to another ("happen in error") when engineers must specify exactly which fields are to be sent, package the data up into an object, and direct the object to a receiving party, who must open up their systems to receive the object!
***
Do these hospitals really want to send patient data to Facebook? I highly doubt it. The way Facebook deals with businesses is similar to how they deal with people. The data are being collected under the guise of something else. In this case, the Meta Pixel is an integral part of the Facebook advertising universe, which is intricately tied to the Facebook reporting system. These reports track interactions on websites. These hospitals most likely advertise on Facebook to drive users to their websites. So, the marketing teams want to understand what keywords people use to find them, what they do on the website and so on.
Since Facebook develops the reporting system as a way to prove to advertisers the effectiveness of Facebook promotions, there is reason why Facebook needs to know someone's allergies or disease status. Thus, such data elements are not pre-programmed. So don't think that someone isn't writing special code to capture such information, and someone else isn't designing customized reports to analyze such data.
It may not be of grave concern if the hospitals are learning about their own patients. What is troubling is that in this process, the personal health data end up in Facebook's vast data ecosystem. Facebook has no obligations under HIPPA HIPAA since it's not a healthcare provider. Also, if someone is logged on to Facebook, or is using Facebook to log on to any other service, or visits a site showing Facebook Like buttons, it's almost a sure bet that Facebook has linked the person's health data to everything Facebook knows about them.
These hospitals and Facebook have essentially entered into a Faustian bargain. The hospitals believe that advertising on Facebook enhances their bottom line; Facebook creates the impression that advertising effectiveness improves with the use of the Meta Pixel; the hospitals - not Facebook - voluntarily places the Facebook pixel on their websites; Facebook engineers imbue the pixel with its data-tracking funtionality; both sides wink at each other, and keep their mouths shut tight.
***
The Markup found that one-third of the top 100 hospitals uses Meta Pixel. Facebook has become the poster child for this type of news but the reality is there are hundreds of other companies in the same game, quietly collecting our data day in day out.
Some of these hospitals have since removed the Meta Pixel - but are they sending data out to any of those other industry players?
***
A shoutout to the team at The Markup and Mozilla who found a way to expose this practice. This is not straightforward because random third parties can't just intercept the data flow between the hospitals' websites and Facebook. They set up a "PIxel Hunt" project in which enrolled users (in this case, patients) permit the research team to see what data are being passed on.
Recent Comments