This appeared last week.
Senator questions Mark Zuckerberg over Meta's healthcare data collection policies
The letter from Sen. Mark Warner to the Facebook founder comes just days after Advocate Aurora Health notified patients of a potential breach involving a pixel-tracking tool.
By Mike Miliard
October 21, 2022 10:01 AM
U.S. Sen. Mark R. Warner, D-Va., raised concerns this week about the tracking and collection of patient health data by Facebook parent company Meta.
WHY IT MATTERS
In an Oct. 20 letter
sent to Meta CEO Mark Zuckerberg, Sen. Warner posed a series of questions about
patient privacy and the company's collection practices.
Specifically, Warner said he was worried about a particular tiny piece of code that has drawn concern in recent months for its use in healthcare websites and apps.
"I write to you today to express my concern regarding Meta’s collection of sensitive health information through the Meta Pixel tracking tool without user consent," wrote Warner.
"As you know, I have long worked to protect user privacy and increase transparency around how user data is collected and shared," he said. "This mission is more urgent than ever as the last two years have shown us the importance of healthcare technology, with many relying on electronic health records, online appointment booking, and virtual patient portals to receive care during the pandemic."
Warner specified his concerns about recent allegations that healthcare consumer data harvested by Meta Pixel has helped with deployment of user-targeted advertisements on Meta’s platforms.
"The use of the Meta Pixel is widespread, as the tool was installed in the systems of 33 of the top 100 hospitals in the country and inside the patient portals of seven health systems at the time of the investigation,'' said Warner.
"It is critical that technology companies like Meta take seriously their role in protecting user health data," he said. "Without meaningful action, I fear that these continuing privacy violations and harmful uses of health data could become the new status quo in health care and public health."
As such, the senator has asked Zuckerberg to answer seven questions before November 3:
· What information does Meta have access to or receive directly from the Meta Pixel, either currently or previously?
· How does Meta store information received through the Meta Pixel?
· Has information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
· How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?
· What steps is Meta taking to safeguard sensitive health information, particularly with third-party vendors? Since the release of The Markup’s report in June, what additional steps have been taken?
· According to the report released by the New York State Department of Financial Services last year, Meta stated that the filtering system was “not yet operating with complete accuracy.” What improvements have been made to make the filtering system more effective? How is Meta testing and evaluating the filtering system’s ability to identify sensitive health information?
· Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?
THE LARGER TREND
Sen. Warner's letter comes the same week as news emerged of a potential data breach at Illinois- and Wisconsin-based Advocate
Aurora Health that reportedly involved pixel-tracking technology. The
breach could affect as many as 3 million people.
"We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology," said Advocate Aurora officials in a notice of data breach .
They told patients that different users may have been affected in different ways, depending on "their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform by the user."
In response, the health system has "disabled and/or removed the pixels from our platforms and launched an internal investigation to better understand what patient information was transmitted to our vendors."
Warner has prioritized patient protections around user data and privacy, and has introduced bipartisan legislation on Capitol Hill, the 2019 DASHBOARD Act, which aims to increase transparency around data collection.
Other bills he's cosponsored include the 2021 DETOUR Act, which would prohibit companies such as Meta from using so-called "dark patterns" to manipulate users into sharing their data.
And the 2021 Public Health Emergency Privacy Act would strengthen safeguards and data security rights around contact tracing, home testing, online appointment booking and more.
More here:
There is coverage of what was apparently going on and led to the Senator’s questions here:
3M Advocate Aurora Health Patients Face PHI Exposure Tied to Tracking Pixels
Advocate Aurora Health discontinued its use of tracking pixels after discovering that they potentially resulted in patient PHI exposure.
By Jill McKeon
October 20, 2022 - Advocate Aurora Health notified 3 million patients of a data breach that resulted in potential protected health information (PHI) exposure.
The breach stemmed from the nonprofit health system’s use of Google and Meta (Facebook’s parent company) tracking pixels, which are commonly used tools that allow organizations to track website visitor activity.
In August, North Carolina-based Novant Health notified 1.3 million patients that the use of Meta pixel code on its website also potentially exposed PHI.
Background
As previously reported, a co-published report by The Markup and STAT discovered that the Meta pixel tracker was being used on hundreds of hospital websites. While the use of pixels is common, the report found the pixel installed inside multiple password-protected patient portals and scheduling forms.
With the tracker present, packets of data were allegedly sent to Facebook whenever someone clicked a button to schedule a doctor’s appointment. Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address.
Novant Health’s notification noted that Facebook’s terms and conditions state that “they have policies and filters that block sensitive personal data and do not incorporate that information into their Ad Manager.”
Even so, the findings sparked significant data privacy concerns, questions arose about whether Facebook had HIPAA business associate agreements (BAAs) in place with the hospitals. Facebook is now facing multiple lawsuits related to the findings.
Advocate Aurora Health Provides Breach Notice
Advocate Aurora Health explained that it had previously used the services of several third-party vendors to “measure and evaluate information concerning the trends and preferences of its patients as they use our websites.”
To do so, those third-party vendors utilized pixels to gather information. Advocate Aurora Health later learned that pixels or similar technologies installed on its patient portals and scheduling widgets transmitted certain information to the vendors that provided the technology.
The information involved potentially included IP addresses, patients’ proximity to an Advocate Aurora Health location, dates, times, and locations of scheduled appointments, and communications between patients and others within MyChart, which could have included medical record numbers and insurance information.
Advocate Aurora Health disabled the pixels and launched an internal investigation in order to “better understand what patient information was transmitted to our vendors.”
“Out of an abundance of caution, Advocate Aurora Health has decided to assume that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on Advocate Aurora Health’s platforms, may have been affected,” the health system explained.
Patients may have been impacted differently depending on their choice of and configuration of browser, use of cookies, and whether they have Facebook or Google accounts.
“You can protect yourself from online tracking by blocking or deleting cookies or using browsers that support privacy-protecting operations, such as incognito mode,” the notice advised patients. “You can also adjust your privacy settings in Facebook and Google.”
Advocate Aurora Health said that any future use of tracking technologies will be evaluated under the health system’s “enhanced, robust technology vetting process.”
More here:
and coverage here:
Health system data breach due to Meta Pixel hits 3 million patients
By Bill Toulas
· October 20, 2022
Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients.
The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information.
Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements.
However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions.
This privacy breach has taken the U.S. by storm, as Meta Pixel is used by many hospitals in the country, exposing millions of people to third parties and sparking class action lawsuits against the responsible organizations.
In August 2022, U.S. healthcare provider Novant Health disclosed its improper use of Meta Pixel in its implementation of the 'MyChart' portal, exposing 1.3 million patients.
The 'MyChart' patient portal is also used by AAH, along with another platform named 'LiveWell,' both of which had active Meta Pixel trackers.
"When patients used Advocate Aurora Health patient portals available through MyChart and LiveWell platforms, as well some of our scheduling widgets, certain protected health information ("PHI") would be disclosed in certain circumstances, particularly for users concurrently logged into their Facebook or Google accounts." - AAH.
AAH's data breach notification says that the following information may have been exposed via Meta Pixel:
- IP address
- Dates, times, and locations of scheduled appointments
- Proximity to an AAH location
- Medical provider information
- Type of appointment or procedure
- Communications between MyChart users, which may have included first and last names and medical record numbers
- Insurance information
- Proxy account information
AAH reported that the breach affected 3 million people to the U.S. Department of Health, which listed it on its breach report portal.
More here:
So Meta and Google were playing very fast and very loose with huge amounts of really personal patient data!
Typical evil. This is really pretty depressing....
Anyone know if these tools are in use here in OZ?
David.
No comments:
Post a Comment