- A Meta tracker on 33 hospital websites collected visitors' confidential data, The Markup reported.
- The code tagged the data to visitors' IP addresses, which could identify who they were.
- Sharing this information with Meta could be a violation of federal law, experts told The Markup.
In what experts say could be a violation of federal law, some hospitals have been sharing users' personal medical information with Meta, a new report from The Markup found.
Under the Health Insurance Portability and Accountability Act (HIPAA), hospitals are required to safeguard sensitive medical data and not share it with external organizations. But 33 of the top 100 hospitals in the US, including Johns Hopkins Hospital and New York-Presbyterian, had a tracker called Meta Pixel on their site, per the June 16 report from The Markup.
Meta Pixel is a code that logs visitors' activity and sends the data to Meta. Meta analyzes the data and lets website owners know how powerful their ads are on Facebook and Instagram. But Meta Pixel also captured data including reasons for medical appointments and names of patients' doctors when people tried to schedule appointments on these hospitals' sites, The Markup found. The outlet found "pregnancy termination" and "Alzheimer's" listed as reasons for consultation among the Meta Pixel data.
The outlet found that seven health systems shared details about patients' allergies, medications, upcoming appointments, and their sexual orientation with Meta via Meta Pixel.
—The Markup (@themarkup) June 16, 2022
Regulatory and data privacy experts told The Markup the hospitals may have violated HIPAA. That's because Meta's code also captured the visitor's IP address, making it possible for external parties to link specific individuals to the data.
Seven hospitals and five health systems removed Meta Pixel from their sites after The Markup approached them. The Markup said it wasn't sure if Meta profited from the data it received. A Meta spokesperson did not respond to the outlet's questions, but did point to the company's policy, which states that its system can identify and remove confidential health data before it gets stored in a database. While Meta isn't subject to HIPAA, the company said in 2018 that it would stop using data from third parties to target users.
Some experts took to Twitter to voice concerns about The Markup's findings.
Last month, Politico reported that the Supreme Court could overturn Roe v. Wade, the landmark 1973 decision that guaranteed abortion rights. David Vanness, a health policy and administration professor at Penn State University, tweeted on Thursday: "The potential uses of this information are terrifying - particularly in a post-Roe world!"
A venture capitalist urged tech companies to play their part in preventing privacy breaches. "As the data privacy debate continues, it seems Meta has crossed another line, this time in healthcare," Alyssa Jaffee, a partner at healthcare venture fund 7wireVentures, tweeted on Thursday.
Meta, Johns Hopkins Hospital, and New York-Presbyterian did not immediately respond to Insider's requests for comments.