The Markup, a non-profit newsroom, published information earlier this month that should concern U.S. hospital patients:

A tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook.

The Markup tested the websites of Newsweek’s top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook…

The Markup was unable to determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways.

Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu, “Facebook Is Receiving Sensitive Medical Information from Hospital Websites” at The Markup (June 16, 2022)

Neither Facebook nor most of the hospitals have been especially co-operative in discussing the situation. So how or whether the sensitive data was used would be hard to determine. But Facebook engineers told Vice last year that “We do not have an adequate level of control and explainability over how our systems use data.”

It isn’t just an invasion of privacy. If substantiated, it is probably illegal, sources say:

On hospital websites, that could include sensitive health information connected to a patient’s IP address. On one hospital website, clicking the scheduling button sent Facebook a doctor’s name and the condition — “Alzheimer’s” — that the appointment was scheduled for…

Under HIAA [Health Insurance Portability and Accountability Act], hospitals aren’t allowed to share identifiable health information with third parties without patients’ consent. They can use and share anonymized data (and often do). But information linked to an IP address can classify data as identifiable health information, which has additional protections.

Nicole Wetsman, “Hospital websites are sending medical information to Facebook” at The Verge (June 16, 2022)

According to The Verge, seven hospitals have removed the Meta pixel that enables the transfer.

Meanwhile, the day after the June 16 revelation, a lawsuit was filed “by an anonymous patient of Baltimore’s Medstar Health System on the behalf of “millions of other Americans whose medical privacy has been violated by Facebook’s Pixel tracking tool.” ( Fierce Healthcare, June 21, 2022)

Of course, many hospitals other than the “top” ones may have been doing it:

For their report, Markup investigators looked at the websites of the top 100 American hospitals included in Newsweek’s “World’s Best Hospitals 2022.” As of June 15, they had found the tracker on 33 of the 100 hospitals.

According to the lawsuit, though, the plaintiff has identified “at least 664 hospital systems or medical provider web properties where Facebook has received patient data via the Facebook Pixel,” reports Fierce Healthcare.

Trent Straube, “Hospital Patient Data Secretly Sent to Facebook, Alleges Lawsuit” at Cancer Health (June 22, 2022)

Facebook has routinely gotten away with privacy violations since the early days

By 2018, the picture was pretty clear:

Barely two years old in 2006, the company faced user outrage when it introduced its News Feed. A year later it had to apologize for telling people what their friends had bought. Years after that, the Federal Trade Commission stepped in — and is now looking at the company again. Facebook has a history of running afoul of regulators and weathering user anger, all the while collecting record profits and racking up more than 2 billion users.

Alyssa Newcomb, “A timeline of Facebook’s privacy issues — and its responses” at NBC News (March 24, 2018)

And in 2020?: TechRepublic analyzed the Cambridge Analytica privacy breach scandal in detail:

The Facebook data privacy scandal centers around the collection of personally identifiable information of “up to 87 million people” by the political consulting and strategic communication firm Cambridge Analytica. That company–and others–were able to gain access to personal data of Facebook users due to the confluence of a variety of factors, broadly including inadequate safeguards against companies engaging in data harvesting, little to no oversight of developers by Facebook, developer abuse of the Facebook API, and users agreeing to overly broad terms and conditions…

Researchers associated with Cambridge University claimed in a paper that it “can be used to automatically and accurately predict a range of highly sensitive personal attributes including: sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age, and gender,” with a model developed by the researchers that uses a combination of dimensionality reduction and logistic/linear regression to infer this information about users.

TechRepublic staff in Security, “Facebook data privacy scandal: A cheat sheet” at TechRepublic (July 20, 2020)

The Cambridge Analytica privacy breach got a great deal of attention among pundits because many believed that it helped make Donald Trump U.S. president in 2016. Unfortunately, TechRepublic also notes, it wasn’t unusual behavior for Facebook: “other companies have likely used similar tactics to collect personal data of Facebook users.” So… what about the breaches that don’t get as much publicity? Some of them might affect many of us more.

And by 2021, with the parent company morphing into “Meta,” Facebook is being described even in staid quarters as a “privacy nightmare”:

Trust in Facebook is low, and experts remain sceptical about the safety and privacy implications of the metaverse.

As Jake Moore, cybersecurity specialist at security company ESET points out, Facebook’s average age is 41 and that’s increasing each year—the social network will do what it needs to do to reach younger audiences. “Younger users is where their future lies, and they have come up with something that could be quite addictive to younger audiences. It’s what they are trying to focus on but they don’t know exactly where this is going to take them—it’s a good stab at future proofing their business model.”

Kate O’Flaherty, “Why Facebook’s Metaverse Is A Privacy Nightmare” at Forbes (November 13, 2021)

For young Facebook users, privacy might not even be a memory, as it is with the older ones.

And now, 2022? At 2 billion users worldwide, Facebook is bigger than many governments. It is domiciled in the United States, possibly in part due to the protections of the First Amendment (free speech) and Section 230 of the Communications Decency Act. Big Tech execs are accustomed to heading to Congress every now and then to receive a smart slap on the wrist, “spare change” fines — and nothing more. If privacy breaches begin to cause serious harm, meaningful action — yes or no — could become a political issue. Serious health issues might be just the catalyst.

Note: The featured photo is courtesy Lucas Vasques on Unsplash.

You may also wish to read: Section 230: What is it and why the controversy? Does Section 230 provide Big Tech too much power, or is it necessary for the moderation of misinformation and inappropriate content? In its original form, Section 230 was a good idea. But its subsequent reforms have given Big Tech a “sweetheart deal” that protects them from accountability. (Caitlin Bassett, August 8, 2021)