Doctor with patient information icons showing Meta Pixel used by NHS trusts

Sensitive Patient Information Was Sent Through Meta Pixel by NHS Trusts

NHS trusts, which function as local health care facilities throughout England and Wales and provide over half of all National Health Service (NHS) services, have been passing sensitive patient information through Meta Pixel, according to an Observer investigative report.

Meta Pixel is part of the social media giant’s web-spanning targeted advertising network. The service is named for what are essentially hidden pixels in web pages used for tracking visitor movements and their cross-site activity, something that websites generally implement to track conversions from ads they buy on Facebook and Meta’s related services. Some 20 of the NHS trusts reportedly had Meta pixels embedded in their websites, unbeknownst to users.

NHS trusts may have exposed sensitive patient information to Meta

Patient information that may have been exposed to Facebook (for some years now) includes details of medical appointments, the types of treatments patients receive and show interest in, and external sites they viewed related to their conditions.

Different NHS trusts may have been passing different patient information. One example provided by the Observer is the Alder Hey Children’s trust in Liverpool, which shared data about prescription refills and webpages involving crisis mental health disorders and sexual development problems. Another is Surrey and Borders Partnership NHS trust, which shared information about users that indicated that they were under the age of 18 and seeking mental health services in Brighton. Other examples of transactions subject to monitoring by Meta pixels include referral requests, hospital appointments, and keyword searches.

The breach could spell serious trouble for the NHS, as many of the examples cited by the Observer were focused on the patient information of minors. It is also particularly invasive as IP addresses are used in conjunction with Meta pixels, potentially tying the user’s health browsing information directly to their Facebook account.

Though the issue appears to have been limited to about a tenth of the total NHS trusts, the agency estimates that millions are potentially impacted. 17 of the 20 trusts have confirmed that they have removed all Meta pixels from their sites at this point. Eight have issued formal apologies to patients. Some of the trusts indicated that the Meta pixels were originally installed to track the progress of charity or recruitment campaigns, and the staff that implemented them were not aware that patient information could be captured by them.

The NHS said that it is investigating the issue and that further action may follow.

Site users usually not aware Meta Pixels are present

Meta claims that it has filters in place to automatically screen out sensitive patient information if it inadvertently works its way into the ad ecosystem. However, this is an opaque process with little public information available. And the NHS trusts are likely in serious trouble regardless, as numerous examples cited by the Observer meet the criteria of protected “special category” health data; sharing this sort of patient information without consent is illegal. Only a handful of the impacted trusts have a notification posted that patient data will not be sold or transferred, and only three mention the possibility of data being shared with Meta or Facebook in their privacy statements.

This is far from the first time Meta Pixel has faced privacy issues, and in October 2022 it ran into very similar trouble in the United States. A report published by The Markup found that about a third of the top 100 hospitals in the country had the tracking code present on their websites. This drew the attention of both a Congressional committee and state Attorneys General, as Meta and the hospitals may have violated HIPAA rules with some of the personal information that was collected.

The Meta pixels have been a source of general concern since long before this and the NHS trusts incident, however, dating back to when it was the Facebook Pixel program. The system is not just able to track Facebook users that are presently logged out, but also assigns unique identifiers to devices and tracks people who do not have Meta accounts or even engage with those services at all.

As to whether Meta is culpable at all in the NHS trusts case, the company denies responsibility. It says that it provides business owners with training on avoiding the collection of this sort of sensitive information, and that it is ultimately their responsibility to comply with data protection regulations. The ensuing investigation will ultimately determine what the situation is, and may involve deeper scrutiny into exactly how its personal information filtering systems work.

A similar case Meta is embroiled in, involving UK-based LloydsPharmacy, has plaintiffs that claim that the company is indeed culpable. In another case of embedded Meta pixels, the search terms for those seeking things like erectile dysfunction medication and relief for irritable bowel syndrome were shared with Facebook and TikTok along with both full names and phone numbers. The case will test whether Meta knowingly monetized this patient information and if it took enough precautions to ensure that it was screened out of their systems.

 

Senior Correspondent at CPO Magazine