When parents scheduled an appointment for their children on the Nemours page, Facebook received that information
By: Alfred Ng and Simon Fondrie-Teitler
One of the largest pediatric networks in the country was sending personal information about children and their parents to Facebook, The Markup found. Nemours Children’s Health, which serves nearly half a million families in the U.S., had a Facebook tracking tool on its appointment scheduling website that shared details about the appointment with Facebook.
The site also had a handful of other third-party trackers that share potentially sensitive information with data brokers. The Markup could not always determine what information the trackers were sending to data brokers, simply that the trackers were present. With Meta’s tracker, however, we found the Nemours site sending Facebook visitors’ IP addresses, information about the specific doctor and specialty the patient was scheduling an appointment with, and in some cases the first and last name of the child the appointment was for.
That information, in combination with other data available to Facebook, could be used to link health conditions to individuals and to the Facebook profiles of their parents.
And experts say the data-sharing with Facebook could violate patient privacy laws. The Health Insurance Portability and Accountability Act (HIPAA) covers health care providers like Nemours and services they provide, like scheduling appointments, said Charlotte Tschider, an assistant professor at Loyola University with a focus on information privacy and the health care industry.
After The Markup reached out to Nemours, many of the trackers on the scheduling site were removed, but trackers from Facebook, Google, and Salesforce remained. Last week, after The Markup published a story about dozens of hospitals sharing the sensitive health information of patients with Facebook, Nemours removed the Facebook tracker as well.
Not all health data is covered under HIPAA. The law specifically applies to health care providers, health insurance providers, and health care data clearinghouses. It also applies to companies that do businesses on behalf of those organizations, Tschider said.
“When you are going to a covered entity’s website, and you’re entering information related to scheduling an appointment, including your actual name, and potentially other identifying characteristics related to your medical condition, there’s a strong possibility that HIPAA is going to apply in those situations,” Tschider said.
The Markup found trackers on the Nemours site through our website scanning tool, Blacklight.
A scan on May 9 showed the main website of the children’s health network, which boasts more than 95 locations in four states, had nine ad trackers and 10 third-party cookies. But its scheduling site had more than double the number of trackers, with 25 ad trackers and 38 third-party cookies, including from companies like Facebook, Amazon, and Google. There were also trackers from data brokers like Oracle, a tech giant that boasts data insights on more than 80 percent of the U.S. internet population, the advertising platform MediaMath, and LiveRamp, which operates a data marketplace.
Blacklight also detected a session recorder on the page from the company Mouseflow. Session recorders can potentially track what people click on a page. Mouseflow’s website states the company will sign a Business Associate’s Agreement, a legal agreement that needs to be in place to allow a HIPAA-covered organization to transfer covered health data to a third party. When we asked whether such an agreement was in place between Nemours and Mouseflow, Mouseflow did not respond to the question.
“Mouseflow does not allow the recording of PII or PHI. Mouseflow automatically masks IP addresses and all information website visitors are typing into form fields and search fields. This information is not being recorded,” Jakob Ohlsen Baagø, director of enterprise sales at Mouseflow, wrote in an email. “According to our terms, our customers are not allowed to record any PII or PHI and Mouseflow offers all the necessary tools to easily comply with this.”
Nemours Children’s Health did not respond to our requests for comment.
Facebook collects data from websites through the Meta Pixel, an analytics and marketing tool that developers can install on their websites. In 2018, Facebook told U.S. lawmakers that its pixel was embedded in more than two million websites.
The pixel can log specific actions on a page, like if a person adds an item to their shopping cart on a retail site or signs up for a free trial of a product. The pixel is also present on non-commercial sites. The Markup recently found Facebook trackers on the Department of Education’s federal student aid application site. In that case, we found that Facebook was receiving such information from the FAFSA site as an applicant’s first name, last name, country, phone number, and email address.
Meta spokesperson Dale Hogan told The Markup that the company has systems that are supposed to detect and block sensitive health information coming from the pixel and other tracking tools.
“Advertisers should not send sensitive information about people through our Business Tools as doing so is against our policies. While our system is designed to filter out potentially sensitive data it is able to detect, we are reaching out to Nemours Health directly,” Hogan said in an emailed statement.
The Markup could not determine whether the Nemours data was in fact removed before storage, and Hogan did not comment on whether or not the data was retained or used by Facebook. A recent joint investigation by Reveal and The Markup found that the filters did not block information about appointments a reporter requested with crisis pregnancy centers.
Pixels are primarily used by marketers who want to run targeted ads based on the data that Facebook collects—and hospitals aren’t immune to advertising needs. Health care companies spent more than $2.5 billion on marketing in 2018, according to a study in the Journal of Medicine and Life.
The study noted that digital marketing gives the health care industry the “potential to significantly increase its coverage.” But privacy advocates worry that such marketing campaigns could end up leaking sensitive information about patients.
“The hospitals have been incredibly greedy in trying to take advantage of social and digital media to capture potential new patients and to retain existing ones,” Jeff Chester, executive director of the Center for Digital Democracy, said. “They mindlessly adopted Facebook’s pixel at the beginning of Facebook’s expansion without thinking of the consequences.”
AddThis, a marketing company that Oracle bought in 2016, has trackers on the scheduling page but not the main website. The company offers a free tool that loads tracking cookies and pixels, claiming to collect “up to 30 data points” from each visitor, The Markup reported in 2020.
“Once companies know there’s a child that’s sick in the household, you can market to that child quite differently, you can appeal to emotions better, you can market to the family,” Katharina Kopp, the deputy director of policy at the Center for Digital Democracy, said. “The data that is out there undermines our rights to move around without being profiled and compared to people like us.”
Experts said HIPAA requires covered entities like Nemours to protect health information that is linked to 18 kinds of personally identifiable information, including IP addresses.
“So using a name, an appointment date, or an IP address in connection with health services of a covered entity would likely qualify for HIPAA [protected health information] status,” Tschider, the Loyola professor, said.
The law provides an exemption for de-identified health information or in specific instances where patients consent to sharing their information. While the Meta Pixel hashes patients’ names before it collects that data from Nemours’ website, hashing would not prevent Facebook from being able to link a patient to their Facebook profile. In addition, the data can be sent alongside Facebook cookies that allow Facebook to link a user of the scheduling site to their Facebook profile and an IP address.
“It is particularly unfair to do this about children,” Kopp said. “This is going to stick with the family and the child, potentially, for the rest of his or her life.”
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.