Hidden code leaks private data from hospitals and ‘pregnancy centers’

fb-300x160The kids may obsess about social media platforms. But just how much do patients want them to snoop into their most personal medical information, accessed due to hidden snippets of computer code embedded on the sites of some of the nation’s biggest and most respected hospitals, as well as facilities purportedly dealing with women’s reproductive health?

The cyber culprit that is taking heat from patient advocates is, of course, Facebook, the online giant built in part on its founder’s troubling axiom, urging his colleagues to “move fast and break stuff.”

Facebook not only provides a place for folks to glow about their latest vacations, share cat and dog pictures, and wish each other well on birthdays and other important occasions, the company has become a technology and online advertising titan. A key to its success rests in its capacities to track users via bits of code that users pick up like microbes or fleas when they troop through the Facebook site — or visit online clients of the company’s sweeping advertising enterprises.

While it may sound innocuous — if annoying as all get out — that Facebook manages with this tech to serve up ads on its site for products its audiences happened to have clicked on, elsewhere and earlier, the tracking methods can have more concerning application, according to Stat, a health, science, and medicine site, and the tech-focused Markup news organization. As they reported:

“A tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information—including details about their medical conditions, prescriptions, and doctor’s appointments—and sending it to Facebook. The Markup tested the websites of Newsweek’s top 100 hospitals in America. On 33 of them we found the tracker, called the Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address—an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household—creating an intimate receipt of the appointment request for Facebook.”

The hospitals with this hidden code embedded, the news organizations reported, include Johns Hopkins, UCLA Reagan Medical Center, New York Presbyterian, Northwestern Memorial, Duke University, Scripps Memorial, and the Cleveland Medical Center.

The institutions that responded to reporter questions downplayed the significance of the code. They argued, among other things, that the data playback to Facebook did not violate strict federal privacy laws about medical information because it merely showed patient interest, not actual provision of medical services.

Facebook harumphed that it has super-duper software, equipped with artificial intelligence, that detects potentially problematic information coming into its system, including potentially sensitive material about patient searches on health conditions, medical specialists, as well as consumers describing their gender and sexual orientation, and makes it disappear, the news article says.

But David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces the federal Health Insurance Portability and Accountability Act (HIPAA), told the Markup this:

“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it. I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”

As the news article explained:

“The law [HIPAA] prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts [none of which appear to be in place] … Facebook itself is not subject to HIPAA, but the experts interviewed for this story expressed concerns about how the advertising giant might use the personal health data it’s collecting for its own profit.”

Privacy and technology experts noted that an elite technology operation like Facebook can take bits and pieces from the various sorts of information it collects across an array of websites and clients and public databases to defeat efforts to remove the identities of individuals. Savvy tech firms can use the abundant data to develop detailed, powerful consumer profiles with painfully granular information about individuals’ likes, dislikes, preferences, practices, and personalities.

Online tracking and the pregnant

If the Orwellian menace of Facebook tracking tech on hospital sites is insufficiently chilling, the Markup also has partnered with Reveal, a nonprofit investigative site, and the Center for Investigative Reporting to delve into how this secretive stuff potentially affects the pregnant:

“Facebook is collecting ultra-sensitive personal data about abortion seekers and enabling anti-abortion organizations to use that data as a tool to target and influence people online, in violation of its own policies and promises. In the wake of a leaked Supreme Court opinion signaling the likely end of nationwide abortion protectionsprivacy experts are sounding alarms about all the ways people’s data trails could be used against them if some states criminalize abortion. A joint investigation by Reveal from The Center for Investigative Reporting and The Markup found that the world’s largest social media platform is already collecting data about people who visit the websites of hundreds of crisis pregnancy centers, which are quasi-health clinics, mostly run by religiously aligned organizations whose mission is to persuade people to choose an option other than abortion.

“Meta, Facebook’s parent company, prohibits websites and apps that use Facebook’s advertising technology from sending Facebook ‘sexual and reproductive health’ data. After investigations by The Wall Street Journal in 2019 and New York state regulators in 2021, the social media giant created a machine-learning system to help detect sensitive health data and blocked data that contained any of 70,000 health-related terms. But Reveal and The Markup have found Facebook’s code on the websites of hundreds of anti-abortion clinics. Using Blacklight, a Markup tool that detects cookies, keyloggers and other types of user-tracking technology on websites, Reveal analyzed the sites of nearly 2,500 crisis pregnancy centers – with data provided by the University of Georgia – and found that at least 294 shared visitor information with Facebook. In many cases, the information was extremely sensitive – for example, whether a person was considering abortion or looking to get a pregnancy test or emergency contraceptives.”

Facebook, again, denied that it deals with sensitive, highly personal information. But the media organizations reported this:

“Crisis pregnancy centers and other businesses can choose whether to install [Meta] Pixel on their websites, though many website builders and third-party services automatically embed trackers. In 2020, The Markup found that 30% of the 80,000 most popular sites use the ad tracker, and Facebook has said millions of Pixels are on websites across the internet. Facebook says Pixel data can be stored for years.

“That personal data can be used in a number of ways. The centers can deliver targeted advertising, on Facebook or elsewhere, aimed at deterring an individual from getting an abortion. It can be used to build anti-abortion ad campaigns – and spread misinformation about reproductive health – targeted at people with similar demographics and interests. And, in the worst-case scenario now contemplated by privacy experts, that digital trail might even be used as evidence against abortion seekers in states where the procedure is outlawed.”

The news article detailed key differences about the advocacy nature of the centers and their potential interest in data mining:

“Crisis pregnancy centers market themselves as being in the ‘pregnancy resource’ business, offering a range of free or low-cost services from pregnancy tests to baby clothing and ‘options consultations.’ But their mission, articulated by Heartbeat International, the largest crisis pregnancy center network in the world, is far more sweeping: ‘to make abortion unwanted today and unthinkable for future generations.’ Although many centers resemble medical clinics, the majority are not licensed medical facilities. Thus, most are not required to follow most privacy protections against the sharing of personal health information, including … HIPAA. In recent years, crisis pregnancy centers have become increasingly savvy about targeting people using sophisticated digital tools and infrastructure. Heartbeat International, for example, has developed suites of products to help individual centers improve their online presence, digital advertising, and data management. These online tools enable the centers to amass highly personal information, including medical histories, details about prior pregnancies and even ultrasound photos, and store and share that information with networks of anti-abortion partners.”

In my practice, I see not only the harms that patients suffer while seeking medical services, but also their struggles to afford and access safe, efficient, and excellent health care. This has become an ordeal due to the skyrocketing cost, complexity, and uncertainty of therapies and prescription medications, too many of which prove to be dangerous and bankrupting drugs.

With all the obstacles patients and their loved ones already must overcome for optimal care, the last thing they need is nosey Parkers busily snatching, out of view, intensely personal information about their lives, medical conditions and wishes, their health, and who they might want as caregivers. It is unacceptable for impassioned partisans, too, to invade individuals’ thinking and information gathering about so private a matter as caring for the unborn. They have a protected right to express their views and to persuade others, appropriately.

But skulking about — whether it is done by hospitals, advocates, or tech enterprises — is unnecessary, invasive, and infuriating. As the cost of health care keeps skyrocketing, with Americans spending more than $3 trillion annually on it, policy makers, properly, have zeroed in on hospitals. That’s because we spend a third of our total health care expenses — more than $1 trillion annually — on hospitals, with negligible transparency or reason as to why we pay what we do, other than institutions setting prices as they can get away with it.

This can only increase the public anger that hospitals, as part of their already giant advertising and marketing initiatives, are relying on sneaky snatches of code to scoop up information from their websites about patients and without their consent. Shall we call it mendacity meets avarice?

The news reports, by the way, make it clear that many hospitals forego this approach, and a few, confronted about it, don’t seem to have issues in stopping this practice.

Good. We have much work to do to ensure that hospitals and the medical services they provide are safe, accessible, affordable, efficient, excellent — and private and secure. Health care is a right not a privilege, and the privacy of our medical care should not be subject to profit-mongering peddlers, including those of the 21st century, high tech kind.

Patrick Malone & Associates, P.C. listed in Best Lawyers Rated by Super Lawyers Patrick A. Malone
Washingtonian Top Lawyer 2011
Avvo Rating 10.0 Superb Top Attorney Best Lawyers Firm
Contact Information