On Thursday—days after millions of patients across the country learned that their hospital may have leaked their medical information to Meta—Sen. Mark Warner (D-VA) requested that the tech giant answer questions about its pixel tracking tool and the sensitive personal data it collects.
“I am troubled by the recent revelation that the Meta Pixel was installed on a number of hospital websites—including password-protected patient portals—and sending sensitive health information to Meta when a patient scheduled an appointment online,” Warner wrote in a letter to CEO Mark Zuckerberg, citing a Markup investigation that revealed at least 33 top hospitals and seven health systems were sharing patient information through the Meta Pixels embedded on their websites. He also cited another Markup investigation that found the Meta Pixel collecting sensitive data from forms on the federal student aid website.
In an email to The Markup, Warner said, “Meta’s collection of user data without their knowledge or consent is wrong and begs the question—what is Meta doing [with] the information they are collecting? I am asking Meta to provide information into their data collection practices, including what information the company has access to, and how it is being used. I am especially concerned that the tracking tool Meta Pixel has allowed the company to access sensitive health information. At a time when more and more health care has moved online, it is critical that we do everything we can to protect patients using online health to receive care.”
In the letter to Meta, Warner asked the company what information it receives from its pixel, how it stores that data, and whether the information is used to target advertisements. The senator also asked how Meta protects “sensitive health information” and about a filtering system that is supposed to screen such data before it is stored, but which was “not yet operating with complete accuracy,” according to a report last year from the New York State Department of Financial Services.
Sen. Mark Warner’s Letter to Meta CEO Mark Zuckerberg
Warner is the second senator in recent weeks to demand answers from Meta, the parent company of Facebook and Instagram, about its tracking tools and use of sensitive health information. In September, Sen. Jon Ossoff (D-GA) asked Meta chief product officer Chris Cox similar questions during a live hearing. Cox promised to respond in writing.
“Advertisers should not send sensitive information about people through our Business Tools, as doing so is against our policies,” Meta spokesperson Dale Hogan wrote in an email to The Markup. “We educate advertisers on properly setting up Business Tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Since Ossoff’s questioning one month ago, two more health systems have sent data breach notifications to approximately 3.5 million patients, warning them that their health information may have been improperly leaked to Meta.
Last week, Wisconsin- and Illinois-based Advocate Aurora Health notified the Department of Health and Human Services’ Office for Civil Rights that as many as three million patients may have been affected by the data breach. In a notification posted to its website, the health system warned all patients who had booked an appointment through its site or used its MyChart portal that their sensitive data may have been shared not only with Facebook but also with Google.
The same day, WakeMed, a North Carolina–based health system, notified patients that their data may have been shared with Facebook. Close to 500,000 patients were notified, according to the Raleigh News & Observer. Another North Carolina health system, Novant Health, previously notified 1.3 million patients of its own breach.
The health systems said that the compromised information could include patient names, addresses, IP addresses, details about appointments, and in some cases, information about allergies, vaccination status, and communications with providers.
As part of our investigation, The Markup used data submitted by real patients who participated in our Pixel Hunt project in collaboration with Mozilla Rally. Data from the project showed that Meta Pixels also collected details about patients’ medications and their answers to questions about sensitive topics such as sexuality.
As of Oct. 20, at least 35 out of the 40 hospitals and health systems The Markup found sending patient data to Meta had removed or disabled the Meta Pixels on their websites.
Meta is also facing at least five class-action lawsuits from patients alleging that its pixel’s collection of data on hospital websites violates various state and federal laws.