WakeMed warns nearly 500,000 patients of unplanned health data sharing with Facebook
WakeMed may have mistakenly sent sensitive health information to Facebook, they warned in a letter sent Friday to hundreds of thousands of patients.
The health system sent the letter to about 495,000 patients who logged into a MyChart account or scheduled an appointment on its website between March 2018 and May 2022.
The health system had a digital tracker called the ‘Meta pixel’ installed on these pages, which could have sent Facebook information about patients’ health conditions, contact information and vaccination status.
“WakeMed has been unable to determine whether Facebook actually collected or used any of the information sent from its pixel,” the press release read.
Meta, Facebook’s parent company, markets the pixel as a way for companies to track the effectiveness of targeted advertisements, by following the users’ online activity after seeing the ad in question. WakeMed installed the pixel in 2018 for “website optimization and to improve the user experience,” the letter to patients read.
WakeMed — which serves hundreds of thousands of patients a year — removed the pixel in May after being contacted by The Markup, a technology investigative news outlet that originally reported the data leak.
Duke University Hospital and Atrium Health Carolinas Medical Center also installed the pixel on their appointment scheduling pages. However, WakeMed and Novant Health additionally installed the pixel on their password-protected patient portals, potentially giving Facebook access to even more sensitive information from confidential health records.
That personal health data was sent along to the advertising giant along with an IP address, which could be used to trace the health data back to a specific individual or household, according to the Markup investigation.
Novant Health sent a similar letter to more than a million patients in August.
What data was collected
The pixel on WakeMed’s websites could have collected and sent the following data to Meta:
Contact information like email address, phone number and emergency contact
Information inputted during online check-in like allergies and COVID vaccine status
Information about an upcoming appointment like appointment type and date, doctor name, and button/menu selections.
Social Security numbers and financial information were not sent to Meta unless they were entered into one of the site’s text boxes, according to the letter from WakeMed.
WakeMed said it’s unaware of Facebook improperly using the data sent from its patient portal.
“Meta has policies and filters that block sensitive personal data from being incorporated into its advertising programs and does not use any such information,” the letter to patients read.
However, several concerns have been raised about how well those filters work. Meta told New York investigators that their filtering algorithm was “not yet operating with complete accuracy” in 2021.
WakeMed said it has no plans to use the Meta pixel again, unless it is assured that the pixel does not transmit sensitive or identifiable information. The health system has begun reviewing its policies on website user data and plans to make changes to improve patient privacy and prevent similar situations from happening again, the letter read.
Shortly after the news of the data leak broke in June, two state representatives — Reps. Brian Farkas, a Greenville Democrat, and Donny Lambeth, a Forsyth County Republican — asked the N.C. attorney general to look into whether hospitals violated consumer protection or privacy laws.
The office of the attorney general said it was “actively investigating this matter” in June, but did not comment on the status or targets of the investigation when asked by the N&O on Monday.
Teddy Rosenbluth covers science for The News & Observer in a position funded by Duke Health and the Burroughs Wellcome Fund. The N&O maintains full editorial control of the work.
