An investigation by The Markup into online tracking by hospitals was recognized by the Association for Health Care Journalists, winning third place in the large investigative category of AHCJ’s Awards for Excellence in Health Care Journalism.
AHCJ awards the best health reporting in print, broadcast, and online media and announced The Markup’s award in the online media division on Feb. 22, 2023.
In the story recognized by AHCJ, “Facebook Is Receiving Sensitive Medical Information from Hospital Websites,” we revealed that 33 of the top 100 hospitals in the U.S., along with at least seven health care systems, were sending patients’ sensitive health information to Facebook through a web tracking tool.
Facebook Is Receiving Sensitive Medical Information from Hospital Websites
Experts say some hospitals’ use of an ad tracking tool may violate a federal law protecting health information
The tool, known as the Meta Pixel, exposed patients’ internet “IP” addresses, effectively linking their medical information and doctor’s appointments to their identity. Under the federal Health Insurance Portability and Accountability Act, or HIPAA, health data linked to an IP address is protected, and organizations covered by HIPAA, like hospitals, cannot share it with third parties without patient consent or a contract that requires the third party to provide the same level of protection. A former senior privacy adviser to the U.S. Department of Health and Human Services was quoted in our investigation saying, “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”
The investigation revealed that the health care providers sent Facebook, at times, patients’ specific conditions, the search terms they entered to find the right doctor, the name and dosage of their medication, their sexual orientation, and the name of their doctor.
The investigation was enabled by the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. The project was a crowd-sourced undertaking in which anyone could install Mozilla’s Rally browser add-on in order to send The Markup data on the Meta Pixel as it appeared on sites that they visited. This allowed The Markup to discover when sensitive information was sent to Facebook from within password-protected patient portals.
In North Carolina, where several health care systems’ patient portals were sending sensitive information to Facebook, lawmakers demanded a probe, and the attorney general’s office began an investigation. In the U.S. Senate, Jon Ossoff of Georgia questioned Facebook on the issue during a hearing of the Homeland Security and Governmental Affairs Committee. Sen. Mark Warner of Virginia later cited The Markup’s investigation in a letter to Mark Zuckerberg, CEO of Facebook parent company Meta.
The U.S. Department of Health and Human Services (HHS), citing our story, issued updated guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” confirming that “tracking technologies” on patient portal pages are generally covered by HIPAA privacy rules. Additionally, HHS said that such rules also cover pages that might be encountered by nonpatients and before a password is entered, such as appointment pages and health condition information pages. Before this HHS guidance was issued, there was disagreement in the health law sector on whether such pages were covered under HIPAA.
Patients of hospitals in San Francisco, Los Angeles, and Chicago, and of two regional health care systems brought at least five class action lawsuits against Meta, alleging that the company broke various state and federal laws.
Show Your WorkPixel Hunt
How We Built a Meta Pixel Inspector
The first large-scale, crowdsourced study that monitors how Meta tracks people across the internet
The health care providers themselves also further amended their practices. As of Oct. 20, 2022, at least 35 of the 40 hospitals and health systems identified in our story had removed the pixel from at least portions of their websites. At least five health care systems sent HHS and a combined 6.4 million patients “breach” notifications, required under HIPAA, stating that data submitted to their websites may have been inappropriately sent by the trackers.
The Markup also strongly believes in showing our work and did so for the Pixel Hunt series, which included the hospital tracking investigation.
A huge congratulations to the entire team that worked on the piece: Todd Feathers, Simon Fondrie-Teitler, Angie Waller, Surya Mattu, Rina Palta, Micha Gorelick, Gabriel Hongsdusit, Maria Puertas, and Jill Jaroff.
Congratulations to all of this year’s Awards for Excellence in Health Care Journalism honorees.