U.S. Sen. Mark R. Warner, D-Va., raised concerns this week about the tracking and collection of patient health data by Facebook parent company Meta.
WHY IT MATTERS
In an Oct. 20 letter sent to Meta CEO Mark Zuckerberg, Sen. Warner posed a series of questions about patient privacy and the company’s collection practices.
Specifically, Warner said he was worried about a particular tiny piece of code that has drawn concern in recent months for its use in healthcare websites and apps.
“I write to you today to express my concern regarding Meta’s collection of sensitive health information through the Meta Pixel tracking tool without user consent,” wrote Warner.
“As you know, I have long worked to protect user privacy and increase transparency around how user data is collected and shared,” he said. “This mission is more urgent than ever as the last two years have shown us the importance of healthcare technology, with many relying on electronic health records, online appointment booking, and virtual patient portals to receive care during the pandemic.”
Warner specified his concerns about recent allegations that healthcare consumer data harvested by Meta Pixel has helped with deployment of user-targeted advertisements on Meta’s platforms.
“The use of the Meta Pixel is widespread, as the tool was installed in the systems of 33 of the top 100 hospitals in the country and inside the patient portals of seven health systems at the time of the investigation,” said Warner.
“It is critical that technology companies like Meta take seriously their role in protecting user health data,” he said. “Without meaningful action, I fear that these continuing privacy violations and harmful uses of health data could become the new status quo in health care and public health.”
As such, the senator has asked Zuckerberg to answer seven questions before November 3:
-
What information does Meta have access to or receive directly from the Meta Pixel, either currently or previously?
-
How does Meta store information received through the Meta Pixel?
-
Has information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
-
How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?
-
What steps is Meta taking to safeguard sensitive health information, particularly with third-party vendors? Since the release of The Markup’s report in June, what additional steps have been taken?
-
According to the report released by the New York State Department of Financial Services last year, Meta stated that the filtering system was “not yet operating with complete accuracy.” What improvements have been made to make the filtering system more effective? How is Meta testing and evaluating the filtering system’s ability to identify sensitive health information?
-
Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?
THE LARGER TREND
Sen. Warner’s letter comes the same week as news emerged of a potential data breach at Illinois- and Wisconsin-based Advocate Aurora Health that reportedly involved pixel-tracking technology. The breach could affect as many as 3 million people.
“We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology,” said Advocate Aurora officials in a notice of data breach .
They told patients that different users may have been affected in different ways, depending on “their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform by the user.”
In response, the health system has “disabled and/or removed the pixels from our platforms and launched an internal investigation to better understand what patient information was transmitted to our vendors.”
Warner has prioritized patient protections around user data and privacy, and has introduced bipartisan legislation on Capitol Hill, the 2019 DASHBOARD Act, which aims to increase transparency around data collection.
Other bills he’s cosponsored include the 2021 DETOUR Act, which would prohibit companies such as Meta from using so-called “dark patterns” to manipulate users into sharing their data.
And the 2021 Public Health Emergency Privacy Act would strengthen safeguards and data security rights around contact tracing, home testing, online appointment booking and more.
ON THE RECORD
“I am troubled by the recent revelation that the Meta Pixel was installed on a number of hospital websites – including password-protected patient portals – and sending sensitive health information to Meta when a patient scheduled an appointment online,” wrote Sen. Warner.
“This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments.”
In a new era of telehealth and virtual care, patient-generated health data, digital therapeutics and other consumer-focused innovations, such concerns are very real, he said.
“As we increasingly move healthcare online, we must ensure there are strong safeguards in place surrounding the use of these technologies to protect sensitive health information,” said Warner.
