An investigation by The Markup into online tracking by hospitals has won “Best Story” in the 2023 Digiday Media Awards. The awards recognize the most innovative work the industry has to offer.
In the story recognized by Digiday, “Facebook Is Receiving Sensitive Medical Information from Hospital Websites,” we revealed that 33 of the top 100 hospitals in the U.S., along with at least seven health care systems, were sending patients’ sensitive health information to Facebook through a web tracking tool.
Pixel Hunt
Facebook Is Receiving Sensitive Medical Information from Hospital Websites
Experts say some hospitals’ use of an ad tracking tool may violate a federal law protecting health information
The tool, known as the Meta Pixel, exposed patients’ IP addresses, effectively linking their medical information and doctor’s appointments to their identity. Under the federal Health Insurance Portability and Accountability Act, or HIPAA, health data linked to an IP address is protected, and organizations covered by HIPAA, like hospitals, cannot share it with third parties without patient consent or a contract that requires the third party to provide the same level of protection. A former senior privacy adviser to the U.S. Department of Health and Human Services was quoted in our investigation saying, “I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”
The investigation revealed that the health care providers sent Facebook, at times, patients’ specific conditions, the search terms they entered to find the right doctor, the name and dosage of their medication, their sexual orientation, and the name of their doctor.
The investigation was enabled by the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. The project was a crowd-sourced undertaking in which anyone could install Mozilla’s Rally browser add-on in order to send The Markup data on the Meta Pixel as it appeared on sites that they visited. This allowed The Markup to discover when sensitive information was sent to Facebook from within password-protected patient portals.
Ongoing Coverage
The Markup has continued to investigate websites that have shared sensitive data through the Meta Pixel:
- Suicide Hotlines Promise Anonymity. Dozens of Their Websites Send Sensitive Data to Facebook
The Markup found many sites tied to the national mental health crisis hotline transmitted information on visitors through the Meta Pixel. - “Out Of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies
An investigation by The Markup and STAT found 49 out of 50 telehealth websites sharing health data via Big Tech’s tracking tools. - Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook
The Markup found services including TaxAct, TaxSlayer, and H&R Block sending sensitive data.
Follow our full Pixel Hunt series for our investigations and impact.
A huge congratulations to the entire team that worked on the piece: Todd Feathers, Simon Fondrie-Teitler, Angie Waller, Surya Mattu, Rina Palta, Micha Gorelick, Gabriel Hongsdusit, Maria Puertas, and Jill Jaroff.
Congratulations to all of this year’s Digiday Media Award winners.
