Four of the state’s largest healthcare systems have sent confidential patient information to Facebook. according to a report released Thursday by The Markup and STAT.
The story involved Atrium Health Carolinas Medical Center, Duke University Hospital, Novant Health, and WakeMed.
MarkUp tested the websites of Newsweek’s Top 100 Hospitals in America. The publication found that 33 of them were using a tracker called the Meta Pixel, which sends a data packet to Facebook whenever a person clicks or presses a button to make an appointment with a doctor.
Potential information that Facebook may have obtained includes patients’ health status, allergies, and sexual orientation.
The metapixel sends information to Facebook through scripts running on a person’s internet browser, so while people are not identified by name or home address, the data packet is sent by IP address, which can be used in combination with other data to identify a person or family.
A spokesman for Duke Health told WRAL News that it plans to remove the Meta Pixel “as soon as possible” from its website.
“Duke Health is committed to protecting the privacy of our patients’ medical information,” Duke Health said in a statement. “After investigating the issue raised in the report posted this morning, we have removed the Meta Pixel image.”
A Novant Health spokesperson stated that it has also removed the Meta Pixel from its website. Novant Health also released a written statement.
“We take the privacy and security of patient information very seriously at Novant Health, and we value the trust our patients place in us in maintaining the confidentiality of their medical information,” Novant Health writes. “About two years ago, we engaged a third party vendor to help design and implement a campaign to encourage people to sign up for MyChart.
“The goal of this effort was to encourage more people to take advantage of virtual care opportunities, especially as COVID has had a significant impact on how people choose to receive care, as well as our in-person care resources. We used tracking pixels to determine how many people signed up for MyChart, not what they did after logging in.”
Atrium Health released a written statement to WRAL News.
“Because privacy is critical to us, we have strong and effective security measures in place in our digital environment,” writes Atrium. “We will continue to monitor and review the tools we use to best serve our communities.”
On Thursday, Meta also released a statement.
“Advertisers should not send sensitive information about people through our business tools,” a Meta spokesperson wrote. “This is against our policy and we are educating advertisers on how to properly set up business tools to prevent this.
“Our system is designed to filter out potentially sensitive data that it might find.”
WRAL News also reached out to Atrium Health Carolinas Medical Center and WakeMed for comment.
In June 2021, WRAL News reported that health apps are not always subject to the same medical privacy laws, such as HIPAA, that protect information patients share with a doctor in person. Even if HIPAA rules apply, they may not cover all the data the app collects.