Four of NC’s largest health care providers sent patient information to Facebook
Four of North Carolina’s largest health care systems sent sensitive health information to Facebook, according to a report published Thursday morning by The Markup and STAT.
The providers used a digital tracker called Meta Pixel in their patient portals or appointment scheduling websites, which could have sent Facebook information about patients’ health conditions, allergies and, in the case of Novant Health, sexual orientations.
That data was sent along to the advertising giant along with an IP address, which could be used to trace the health data back to a specific individual or household.
It’s unclear what, if anything, Facebook does with information from the hospitals. The company claims to filter out sensitive health information before it reaches the ads system, but concerns have been raised about how well those filters work.
The health care providers implicated in the article, Duke University Hospital, Atrium Health Carolinas Medical Center, WakeMed and Novant Health, recorded more than 4 million admissions and outpatient appointments in 2020, according to data from the American Hospital Association.
The Markup is a nonprofit news organization that focuses on how organizations use technology. STAT is a news organization that covers health care.
Their investigation found that Duke University Hospital and Atrium Health Carolinas Medical Center used the tracking tool on their online appointment scheduling page.
Atrium Health’s scheduling page asks patients to input the condition they’re seeking care for, their age and their location. A spokesperson for the health system responded to a request for comment after the story was first published online Thursday.
“Because privacy is critically important to us, we have stringent, effective safeguards in place in our digital environment,” the spokesperson said. “We will continue to monitor and validate the tools we use to best serve our communities.”
As of Friday morning, Atrium Health was still sending data to Facebook.
Duke Health removed Meta Pixel from its scheduling page Thursday morning after the report brought the issue to the hospital’s attention.
“Duke Health is committed to protecting the privacy of health information of our patients,” officials said in a statement.
They did not respond to questions about why the tracking tool was there in the first place. Meta, Facebook’s parent company, markets Pixel as a way for companies to track the effectiveness of targeted advertisements, by following the users’ online activity after seeing the ad in question. It can also be used to show companies who has already visited their website so they can direct advertisements toward them.
WakeMed and Novant Health were two of seven health systems identified nationwide that used Pixel in their patients’ password-protected portals. Facebook could have gained access to even more sensitive information from confidential health records.
For example, The Markup found that the tracker installed on Novant Health’s patient portal shared patients’ sexual orientation, dosage and names of prescriptions and allergies.
A spokesperson for Novant Health said the system contracted a third-party vendor about two years ago to help encourage people to sign up for MyChart, a portal patients can use to access medical records and schedule appointments. As part of that campaign, Novant Health used Pixel to determine how many people signed up for MyChart, not what they did after they signed in, the spokesperson said.
“We take privacy and the care of patient information very seriously at Novant Health and we value the trust our patients place in us to keep their medical information private,” the spokesperson said. “When we were notified about this Meta Pixel, we immediately removed the pixel while we investigate the matter.”
Novant also cited a section of Facebook’s Terms and Conditions that says the company blocks personal data. Meta told New York investigators that this function was “not yet operating with complete accuracy” in 2021.
Legal experts cited in the article said the use of Meta Pixel in patient portals could be a breach of the Health Insurance Portability and Accountability Act, which forbids hospitals from sharing personally identifiable health information. Under the federal law, an IP address is considered a HIPAA identifier, which can be used to link someone’s identity to health information.
WakeMed also removed Pixel after being contacted by The Markup.
“WakeMed takes the privacy and security of our patients’ information very seriously,” a spokespserson for the health system said Thursday evening, after the story initially published. “We continue to evaluate the matter.”
Teddy Rosenbluth covers science for The News & Observer in a position funded by Duke Health and the Burroughs Wellcome Fund. The N&O maintains full editorial control of the work.
This story was originally published June 16, 2022 at 2:28 PM with the headline "Four of NC’s largest health care providers sent patient information to Facebook."
