Meta faces mounting questions from Congress on health data privacy

Meta is struggling with mounting questions about its access to sensitive healthcare details pursuing a Markup investigation that uncovered the company’s pixel tracking tool gathering details about patients’ doctor’s appointments, prescriptions, and health and fitness situations on clinic internet websites.

During a Senate Homeland Stability and Governmental Affairs Committee hearing on Sept. 14, Sen. Jon Ossoff (D-Ga.) requested that Meta — the dad or mum firm of Fb and Instagram — give a “comprehensive and precise” accounting of the health-related info it keeps on buyers.

“There’s been significant community reporting, controversy, and worry about the Meta Pixel product or service and the chance that its deployment on different clinic systems’ internet sites, for instance, has enabled Meta to accumulate non-public well being care info,” Ossoff stated.


“We require to fully grasp, as the U.S. Congress, whether or not or not Meta is amassing, has collected, has obtain to, or is storing, professional medical or health info for U.S. folks,” he added.

In response to Ossoff’s problem about whether or not Meta has medical or health treatment details about its consumers, Meta Main Product Officer Chris Cox responded, “Not to my know-how.” Cox also promised to abide by up with a composed reaction to the committee.


In June, The Markup reported that Meta Pixels on the web sites of 33 of Newsweek’s best 100 hospitals in America had been transmitting the specifics of patients’ doctor’s appointments to Meta when people booked on the web-sites. We also identified Meta Pixels within the password-protected affected person portals of 7 overall health methods amassing knowledge about patients’ prescriptions, sexual orientation, and health and fitness disorders.

Former regulators informed The Markup that the hospitals’ use of the pixel may have violated the Wellbeing Facts Portability and Accountability Act (HIPAA) prohibitions against sharing protected well being facts.

“Advertisers ought to not mail sensitive information about individuals by our Organization Resources,” Meta spokesperson Dale Hogan wrote to The Markup in an emailed assertion. “Doing so is towards our guidelines and we educate advertisers on thoroughly placing up Business equipment to prevent this from happening. Our procedure is built to filter out likely sensitive knowledge it is capable to detect.”

Since The Markup’s investigation:

  • As of Sept. 15, 28 of the 33 hospitals have taken out the Meta Pixel from their physician scheduling pages or blocked it from sending client data to Fb. At minimum 6 of the 7 wellness units experienced also taken off the pixels from their patient portals. The Markup attained out to the establishments that eliminated the pixel from their web-sites immediately after our investigation released in June. As of push time, three establishments — Sanford Wellness, El Camino Health and fitness, and Henry Ford Wellness — had responded. Read their statements listed here.
  • 1 overall health system, North Carolina-dependent Novant Health and fitness, mailed knowledge breach notifications to 3 million customers following The Markup’s report. In the breach notification, Novant Overall health said the pixel was additional as aspect of a promotional campaign to persuade use of Novant’s MyChart affected individual portal, but “the pixel was configured improperly and may perhaps have authorized sure non-public details to be transmitted to Meta.” On Sept. 16, Novant amended its facts breach notification post to condition that Meta informed the company that it “generally” filtered out patients’ delicate professional medical facts and that it did “not have information and facts to return or destroy.” 
  • The North Carolina legal professional general’s business stated it was “actively investigating” the hospitals’ details sharing just after phone calls from point out lawmakers for a probe.
  • At minimum 5 class-motion lawsuits have been submitted in opposition to Meta contending that the pixel’s facts selection on clinic websites broke numerous condition and federal laws. One particular, filed against the organization on behalf of a Baltimore-based mostly MedStar Wellness Method client, promises that Meta Pixels gathered individual data from at least 664 various hospitals’ web sites. The other lawsuits were being brought on behalf of sufferers of Novant Well being and hospitals in San Francisco, Los Angeles, and Chicago. 

In the meantime, developments in one more lawful case suggest Meta may well have a tough time giving the Senate committee with a entire account of the delicate health facts it retains on customers.

In March, two Meta workforce testifying in a scenario about the Cambridge Analytica scandal explained to the U.S. District Court docket for the Northern District of California that it would be really tough for the organization to monitor down all the data connected with a single user account.

“It would choose numerous groups on the advertisement facet to keep track of down exactly the—where the information flows,” one Facebook engineer claimed, in accordance to the transcript, which was initial documented by The Intercept. “I would be amazed if there’s even a one particular person that can answer that slim question conclusively.”

The engineers’ remarks echo the same problems expressed in a 2021 privacy memo published by Fb engineers that was leaked to Vice.

“We do not have an adequate degree of management and explainability about how our techniques use data, and thus we cannot confidently make controlled policy alterations or exterior commitments these kinds of as ‘we will not use X knowledge for Y objective,’” the memo’s authors wrote.

This posting was co-posted with The Markup, a nonprofit newsroom that investigates how impressive establishments are employing technological know-how to alter our modern society. Sign up for its newsletters listed here.

By Percy