U.S. Sen. Mark R. Warner, D-Va., this week raised concerns about Facebook parent company Meta’s tracking and collection of patient health data.
WHY IT MATTERS
In an Oct. 20 letter to Meta CEO Mark Zuckerberg, Sen. Warner asked a series of questions about patient privacy and the company’s collection practices.
In particular, Warner said he’s concerned about a specific tiny piece of code that has raised concerns about its use in healthcare websites and apps in recent months.
“I am writing to you today to express my concern about Meta’s collection of sensitive health information through the Meta pixel tracking tool without user consent,” Warner wrote.
“As you know, I’ve long worked to protect user privacy and increase transparency about how user data is collected and shared,” he said. “This mission is more urgent than ever as the last two years have shown us the importance of health technology, with many relying on electronic medical records, online appointment booking and virtual patient portals to receive care during the pandemic.”
Warner expressed concern over recent allegations that healthcare consumer data collected by Meta Pixel helped deliver customized advertising on Meta’s platforms.
“Use of the Meta Pixel is widespread because, at the time of the research, the tool was installed on the systems of 33 of the top 100 hospitals in the country and on the patient portals of seven health care systems,” Warner said.
“It’s critical that technology companies like Meta take their role in protecting users’ health data seriously,” he said. “Without meaningful action, I worry that these ongoing invasions of privacy and malicious use of health data could become the new status quo in healthcare and public health.”
So Senator asked Zuckerberg to answer seven questions before November 3:
What information does Meta have access to or receive directly from Meta Pixel, either currently or previously?
How does Meta store information received via the Meta Pixel?
Has information Meta received from the Meta Pixel ever been used to inform targeted advertising on Meta’s platforms?
How does Meta handle confidential information it receives from third parties that violate its business policies?
What steps does Meta take to protect sensitive health information, particularly with third-party providers? What additional steps have been taken since The Markup’s report was published in June?
According to the report, released last year by the New York State Department of Financial Services, Meta explained that the filtering system “isn’t yet working with complete accuracy.” What improvements have been made to make the filtration system more effective? How does Meta test and evaluate the filtering system’s ability to identify sensitive health information?
Where required by law, does Meta always comply with all notification requirements when the Meta Pixel processes or transmits protected information in the manner and time required by those laws?
THE BIGGER TREND
Sen. Warner’s letter comes the same week as news surfaced of a potential data breach at Illinois-Wisconsin-based advocate Aurora Health that reportedly involved pixel-tracking technology and could affect as many as 3 million people.
“We have learned that pixels or similar technologies installed on our patient portals, available through MyChart and LiveWell websites and applications, and on some of our planning widgets, have transmitted certain patient information to the third-party providers who provide us with the have provided pixel technology. Advocate Aurora officials said in a privacy breach notice.
In response, the healthcare system has “disabled and/or removed the pixels from our platforms and initiated an internal investigation to better understand what patient information was transmitted to our providers.”
Prioritizing patient protection over user data and privacy, Warner introduced bipartisan legislation on Capitol Hill, the DASHBOARD Act 2019, aimed at increasing transparency in data collection.
Other bills he has co-sponsored include the DETOUR Act of 2021, which would ban companies like Meta from using so-called “dark patterns” to trick users into sharing their data.
And the Public Health Emergency Privacy Act of 2021 would strengthen safeguards and data security rights around contact tracing, home testing, online appointment booking and more.
ON THE RECORD
“I am disturbed by the recent revelation that the Meta Pixel has been installed on a number of hospital websites — including password-protected patient portals — and is sending sensitive health information to the Meta when a patient makes an appointment online,” Sen. Warner wrote.
“This data contained highly personal health information, including patient health status, appointment subjects, doctor names, email addresses, phone numbers, IP addresses, and other details related to patients’ doctor appointments.”
In a new era of telemedicine and virtual care, patient-generated health data, digital therapeutics and other consumer-centric innovations, such concerns are very real, he said.
“As we increasingly move healthcare online, we need to ensure there are strong safeguards in place around the use of these technologies to protect sensitive health information,” Warner said.