Not Even Healthcare Websites are Safe from Meta’s Watchful Eye

Reading Time: 6 minutes.

The new Meta logo, a sort of curved infinity symbol next to text reading "Meta"When you use websites for your healthcare, you expect them to be safe. If there’s one place that’s safe on the internet, it’s the place where you conduct your healthcare business. It’s certainly private and guaranteed by HIPAA, right?

Well, about that.

As it turns out, Meta (Facebook) has quite a few hooks into these websites, and may be collecting more data on you than you realize. Some of that may already violate federal law, while politicians work to curb Meta’s most recently discovered data hoarding.

Meta’s Healthcare Data Collection

The Markup surveyed 100 of Newsweek’s top hospitals in America. On a third, 33, of them, they found a tracker belonging to Meta. Meta’s Pixel is a lightweight tracker embedded on websites to feed the company information on users from across the web. There’s plenty of information Meta can use to identify you, or at least guess at your identity. That can include your IP address, name, email, browser, or just cross-site cookies Meta may use to track you personally, wherever you go online. This allows them to tie the information they collect you you, specifically, regardless if you enter your own personal information on a website.

So what is Meta collecting? Exactly what you worry about. They’re able to get search terms and specific doctors or locations you’re visiting. Some hospitals were sending back information like medications, and even a person’s sexual orientation.

Seven websites were tested after the patient login portal, where users can find their personal information. Of those, five were reporting data back to Facebook. This is data coming from inside your personal records. It’s not anonymized in the least. The information is hashed in transit to Meta/Facebook, but simple online tools can decode the hash immediately, allowing researchers to see just what Meta was collecting.

Those 33 hospitals that provide data to Facebook account for 26 million people potentially tracked in 2020 alone. This is only out of the top 100 hospitals, it’s possible there are far more. Meta tracks more than just their users, too. They build profiles on people who aren’t using their services, in case they ever do, to better serve up ads on Facebook and Instagram. Meta may store that data for years.

Is Meta Using Private Healthcare Data?

Meta’s Dale Hogan claims Meta filters data they receive, and therefore would filter private information out.

“If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems,”

– Dale Hogan

However, an investigation by Reveal found Meta was not filtering information related to appointments and crisis pregnancy centers. Since Republicans have taken away federal abortion rights, and are dismantling people’s rights at the state level, this can be exceptionally dangerous.

Pregnancy Termination and Gender Affirming Healthcare

“On the website of University Hospitals Cleveland Medical Center, for example, clicking the ‘Schedule Online’ button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: ‘pregnancy termination.'”

– Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu, The Markup via Ars Technica

With anti-choice extremists pushing legislation to spy on private healthcare, companies like Facebook may find themselves in the middle of the conflict. Because of their data collection, Facebook has a list of people who may have researched pregnancy terminations or even gotten an abortion already. Republicans will want that data to prosecute people who have gotten abortions, now that we don’t have basic bodily autonomy guaranteed by the constitution. However, others will want Meta to protect people who didn’t even consent to being spied on. Unfortunately, Meta follows the laws of the country they’re in, and therefore would give up this information in Republican-lead states. Due to this week’s Supreme Court ruling, in Texas and other U.S. states, women and people who can get pregnant already face laws making ancient and basic healthcare illegal.

“When The Markup tested Houston Methodist’s website, clicking the ‘Schedule Appointment’ button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the name of the doctor, and the search term we used to find the doctor: ‘Home abortion.'”

– Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu, The Markup via Ars Technica

This is a position not even a company like Meta seems comfortable with.

But we don’t have to wait to see the horrors of Meta’s overzealous data collection. Right now, Meta’s tools are helping “crisis pregnancy centers,” that is, fake abortion clinics made to guilt women into staying pregnant, or stalling their decision until it’s too late. These crisis pregnancy centers are already using Meta’s data to send targeted ads to people considering an abortion on Meta’s services, Facebook and Instagram.

Republicans have been attacking transgender rights across the U.S. This involves going after the healthcare of transgender children, as well as some transgender adults. Some states have gone so far as to prosecute the parents of transgender children, as though it’s their fault how their kids were born. These people are in danger as the data Meta is collecting could reveal their gender identity, now a criminal offense. Simply searching for information online could lead to a visit from the police. Governments often circumvent the 4th amendment, which protects against unreasonable searches, by buying location data from data brokers. With a treasure trove of potential victims, Meta’s poised to create a surveillance state.

In fact, this is already happening. Placer.ai was creating heat maps of where abortion clinic visitors live. Anti-abortion groups were buying targeted ads on Facebook that could target people considering an abortion. This data is already being used to harm people.

What are Websites Getting?

What do websites get in exchange for using the Meta Pixel tracker? They can get analytics on the ads they’ve placed on Facebook and Instagram.

That’s it. Just some information confirming ad click through rates.

That’s what they gave your healthcare data to Meta/Facebook for. These hospitals are far from blameless. They chose to use analytics software from a company, Meta, known for harvesting user data. They knew what they were getting into. No one in tech expects privacy when it comes to Meta or its properties, Facebook, Instagram, or even WhatsApp.

Legislated Privacy Improvements

If confirmed, these seem to be egregious violations of HIPAA. These hospitals could face fines as a result of any investigations. For Meta, however, it’s less clear. A group of senators lead by Senator Elizabeth Warren want to change that.

Senator Elizabeth Warren (D-MA) introduced a bill along with Senators Bernie Sanders (I-VT) and Ron Wyden (D-OR). The legislation isn’t a direct response to Meta’s data grabbing at hospitals, but instead introduced in anticipation of the end of Roe v. Wade. The bill specifically targets data brokers from “selling or transferring location data and health data.” This means selling or using ads based on health data and location data, like hospitals or abortion clinics, would be illegal.

“With this extremist Supreme Court poised to overturn Roe v. Wade and states seeking to criminalize essential health care, it is more crucial than ever for Congress to protect consumers’ sensitive data.”

– Senator Elizabeth Warren (D-MA)

The bill would empower the FTC to sue brokers who collect or sell location or health data. It would require an additional $1 billion in funding for the FTC over a decade. However, with so many companies currently collecting health and location data who may challenge the bill, that could even pay for itself.

What’s Next?

Hopefully, legislation. We need lawmakers to come together and block this kind of data grabbing. Now that Roe v. Wade is dead, it’s more important than ever. Restoring bodily autonomy to everyone is obviously the most important goal, but protecting people’s privacy until we can do that is also vital, and will serve us long after we restore our basic human rights.

Hospitals have been removing the Meta Pixel from their sites. Many were simply ignorant. They didn’t know how much data Meta had collected for Facebook and Instagram advertising. We should still hold them accountable.

As for you? Protect your data. Use a privacy-focused browser like Firefox or Safari. Firefox may be the best choice, as its tab containers can let you split out data going to Meta, and also treat your personal healthcare information like it’s happening in a completely separate browser. Safari is also a decent option. You may also want to consider a VPN, like one from Mozilla or NordVPN, which you can use to mask and change your IP address often, making it harder to figure out who you are. Just don’t log in to Facebook with the same IP.

You should also definitely delete any period tracking apps. In fact, there are more privacy options you can find here. You’re going to have to work hard to defend yourself now, and it’s not going to get easier anytime soon. Hopefully those in charge will work to make it a little easier in the difficult months to come.


Sources: