• Fri. Aug 18th, 2023

Privacy Breach: Facebook’s Covert Collection of Patient Data from UK Hospitals

Aug 15, 2023
Facebook's Covert Patient Data Collection
Marcel Bich

20 National Health Service (NHS) hospitals’ websites in the UK breached patients’ privacy rights by disclosing to Facebook in-depth information on patients’ medical problems, appointments, and treatments without getting their permission.

The NHS sites allegedly used a covert user-tracking program called Meta Pixel that for several years captured and sent information to Facebook about the pages seen, keys pushed, and keywords typed. The IP address of the user and information about their Facebook account were connected to this data.

Meta can utilize the data gleaned via Meta Pixel for commercial purposes, such as enhancing its ad targeting offerings.

Patients who looked up information on HIV, self-harm, sex reassignment services, sexual health, cancer, child treatment, and other topics on NHS pages provided the data. Details on when users clicked on buttons to schedule an appointment, purchase a repeat prescription, ask for a referral, or conduct an online consultation are also included in the data. There might be an impact on millions of patients.

The tracking technology was deleted from the websites of 17 of the 20 NHS hospitals that utilized Meta Pixel, according to the hospitals. To patients, eight hospitals have expressed regret. A number of hospitals said that when they first installed Meta Pixel, they did so to keep an eye on recruiting efforts or charitable causes and had no idea that they were also giving Facebook patient data. The Information Commissioner (ICO) is looking into it.

Prior to the user selecting to “accept” or “reject” cookies, much of the data supplied to Facebook during the Observer test was automatically and without the user’s express agreement delivered when the site launched. Only three out of the twenty hospitals made reference to Facebook or Meta in their privacy policies. Patient information will not be shared or utilized for marketing, as some hospitals had previously assured them.

Over 22 million people in England are served by the 20 NHS institutions that employed the monitoring tool as a whole. How the data transfer took place and the scope of the suspected data breach will be the subject of an inquiry by the NHS.

Hospitals were reminded of their regulations, which forbid transferring health data to the corporation, by a spokeswoman for Meta. The representative also stated that it is the owner of the website’s obligation to adhere to data protection rules and seek consent prior to transferring the data.