National Health Service (NHS) trusts, providers within the United Kingdom’s public health system, have come under scrutiny for the use of Meta Pixel. An investigation conducted by the Observer found that 20 NHS trust websites shared browsing information with Meta, breaching patient privacy, according to The Guardian.
NHS trusts are not the first healthcare organizations to run into data privacy problems related to tracking pixels. In October 2022, Advocate Aurora Health, a nonprofit health system with hospitals in Illinois and Wisconsin, had a data leak related to its use of tracking pixels from Google and Meta. Approximately 3 million individuals were affected.
Tracking pixels are embedded into websites and track user behavior. While this can be a powerful tool for marketing and advertising purposes, issues arise when the data extracted and shared with external companies, like Meta, is protected health information (PHI).
Meta Pixel and NHS Trusts
The data collected, without user consent, via Meta Pixel includes personal medical information. NHS trusts sent Meta details of patient visits to websites on HIV, cancer, and gender identity services, among other topics. The Guardian shared specific examples of data being shared along with the user’s IP address and Facebook details. Meta could use this information for targeted advertising.
Meta has filtering mechanisms designed to prevent sensitive health information from being used by its ad ranking and optimization systems, but the company is facing legal challenges around patient data privacy. A class action lawsuit filed in the US District Court for the Northern District of California alleges that Meta knowingly collects “highly sensitive medical information but, in reckless disregard for patient privacy, continues to collect, use, and profit from this information.”
The Guardian reported that many of the NHS trusts initially started using the tracking pixels to track recruitment for charity campaigns, unaware that they were sharing patient data with Meta. The majority of the 20 NHS trusts have removed Meta Pixel from their websites, according to the report.
The trusts could still face consequences, even if they were unaware that patient data was being shared with Meta. The Information Commissioner’s Office (ICO), the UK’s independent body for information rights, is investigating the issue. “The ICO will be considering both the technical breach of consent and also the potential of harm to the data subjects,” Gareth Lindahl-Wise, CISO at managed detection and response provider Ontinue, tells InformationWeek.
The sensitive information exposed could cause harm to patients. “It is this potential harm which would have a significant impact on any enforcement taken by the ICO, up to and including meaningful fines,” Lindahl-Wise continues.
General Data Protection Regulation (GDPR) fines are also a possibility. The Austrian Data Protection Authority ruled that Meta Pixel violates GDPR. “It is worth noting that Meta may also be subject to similar fines and penalties if they are also found to also be in violation of the UK GDPR and UK DPA,” says Claude Mandy, chief evangelist for data security at data security posture management company Symmetry Systems. UK GDPR is a similar regulation that is separate from EU GDPR.
Tracking Pixels in Healthcare
Despite the frequent patient data privacy issues that arise around the use of Meta Pixel and other tracking pixels, they are commonly used in healthcare. The Markup published an investigation in June 2022 detailing the use of Meta Pixel by 33 of Newsweek’s top 100 hospitals in the US.
With it is it appropriate for healthcare enterprises Meta Pixel and other tracking pixels? These tools have legally permissible uses in healthcare, according to William Roberts, co-chair of the data privacy, protection, and litigation group at US law firm Day Pitney. “Such uses include gaining insight on visitor or user online activities that may allow for improving website accessibility, making information more readily available, catering website resource to audiences, and other ways to improve patient experiences,” he explains.
The US Department of Health and Human Services released guidance on the use of tracking technologies of HIPAA-covered entities. The guidance acknowledges that tracking technology provides insights that “… could be used in beneficial ways to help improve care or the patient experience.” But it also makes clear that any use of these tools cannot “… result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
Appropriate use of tracking pixels in healthcare hinges on enterprises knowing exactly how the technology works, what data is being collected, and where it is going. “Scenarios like the one many of these NHS trusts find themselves in with the broad use of a tool like Meta Pixel is they either simply used the wrong or inappropriate tool for their patient care activities, did not appropriately define the demarcation of their commercial and patient care activities, or both,” says Joel Burleson-Davis, senior vice president of worldwide engineering, cyber for digital identity security company Imprivata.
Healthcare enterprises, like many of the NHS trusts, may now know that PHI is being leaked to a third party, but ignorance likely won’t shield them from regulatory consequences. “Regulators no longer allow website publishers to hide behind their DPAs [data processing agreements] — when a service provider like Meta breaches a DPA by collecting more info than they were supposed to, or uses in a way they shouldn’t, companies can no longer merely point to the service provider,” says Beth Fulkerson, a technology law and privacy and data security attorney and partner at full-service law firm Culhane Meadows. “Companies are on the hook if they failed to check up on what the service providers were doing.”
Maintaining Patient Data Privacy
Jean-Paul Schmetz, digital privacy expert and CEO of privacy ad blocker Ghostery, points out that third-party trackers are often difficult to control. “Unless your users have explicitly consented to data collection, any third-party trackers on your website are likely violating patient privacy in some shape or form, collecting data about an individual’s browsing habits, and creating an online profile with their specific health conditions and concerns,” he says.
Healthcare organizations have a responsibility to protect the privacy of their patients. How can they uphold that responsibility when it comes to the use of tracking pixels?
The first step is determining if and how tracking pixels are being used. Schmetz notes that tools like Ghostery can identify trackers, allowing healthcare organizations to determine whether to remove them from their content management systems.
Fulkerson indicates that there is a level of risk for healthcare enterprises that use tracking pixels. “Think twice before using a tool that was built by an organization that is focused on consumers generally — rather than a specialized tool built for the healthcare industry or other industries with sensitive data,” she says. “And maybe get worried when that service provider is getting into trouble with regulators.”
If enterprises opt to use tracking pixels, they should do so with open eyes. “It is clear that healthcare CIOs must adopt a more data-centric security strategy that can provide them the visibility into what data is being collected by themselves and third parties like Meta Pixel,” Mandy says.
Implementing any sort of tracking technology is not a decision for a single team within a healthcare organization. “Before marketing or another department implements such technologies, an organization should require that both health IT leadership and legal carefully vet the technology to ensure it is appropriate for the use, allows for legal compliance, and that it is implemented with proper settings and safeguards,” Roberts says.
Once implemented, healthcare CIOs need to ensure robust governance exists to watch for potential changes in how the technology works and collects data. “Change control should be in place to catch new features and components,” Lindahl-Wise says. “If you engage with special category data, now might be the time to invest in a continuous monitoring capability so you know what is running.” A healthcare organization’s data security posture must evolve to match pace with privacy requirements.
Keeping up with privacy requirements is also a question of resources. Burleson-Davis believes that under-resourced privacy, oversight, and IT programs are the root of the NHS trusts’ issue with Meta Pixel. “If these trusts were appropriately resourced to maintain and deploy modern security and privacy programs, this likely would have been prevented or have a significantly smaller impact,” he says.