How a news investigation shed light on potential patient privacy violations

Simon Fondrie-Teitler                                           Todd Feathers

There have been continuing repercussions from an investigative story published in June by nonprofit news organization The Markup, in partnership with STAT, describing how Facebook receives sensitive medical information from hospital websites. In a new “How I Did It,” Simon Fondrie-Teitler and Todd Feathers, two of the team members that worked on the investigation, spoke with AHCJ about how the story came about and what journalists can learn from the process. 

More about the story

The journalists’ investigation revealed that 33 of Newsweek’s top 100 hospitals in the country used a tracking tool called Meta Pixel on their websites that collected patient information and sent it to Facebook when they booked doctor’s appointments. The pixel tool was found inside the password-protected patient portals of seven health systems, where it was gathering details about patients’ medical conditions, prescriptions and upcoming medical appointments. 

The tool can be installed on websites to track user behavior; clicking on certain links automatically sends Facebook a packet of information connected to a computer’s IP address that can be linked to a specific person or household. 

The story shared how clicking the “Schedule Online Now” button for a doctor at Froedtert Hospital in Wisconsin, for example, prompted the pixel tool to send Facebook information linking the user to the doctor’s name and the condition selected from a dropdown menu: “Alzheimer’s.” 

It’s unclear if Facebook or any other third party did anything improper with the data received, but several hospitals, including UCLA Reagan Medical Center, Houston Methodist Hospital and Duke Health, removed the tracking tool from their appointment scheduling pages after being contacted by The Markup. 

The pixel tool also appears to have been removed from at least six of the seven patient portals, Fondrie-Teitler said. 

But the fallout continues. Lawsuits have been filed against UCSF Medical Center and Dignity Health in San Francisco, along with Meta Platforms; against MedStar Health System in Baltimore; and against Northwestern Memorial Hospital in Chicago; along with Meta, Facebook and Instagram. These were by plaintiffs upset that their private information was shared without their consent.

Novant Health in North Carolina said on August 12 that it had sent letters to 1.3 million patients who could have been affected by the pixel misconfiguration, Becker’s Health IT reported. The health system said the tracking tool was intended to help track the success of a promotional campaign to connect more patients to its MyChart patient portal, which involved Facebook advertisements. But it was configured improperly, which allowed Meta to obtain patient information such as email addresses, phone numbers, computer IP addresses, contact information and appointment details. 

This story is one of several in The Markup’s Pixel Hunt series. Additional investigations of the Pixel tool have focused on how Facebook and anti-abortion clinics are collecting information on would-be patientshow the Nemours Children’s Health network was providing personal information about children and their parents to Facebook, and how the online abortion pill provider Hey Jane used tracking tools that sent visitor data to Meta, Google and others.

The background

Two years ago, Markup senior data engineer Surya Mattu built a real-time web privacy inspector called Blacklight that could identify which websites contained Meta Pixel, Markup founder Julia Angwin wrote in a recent blog post. Using Blacklight, Mattu found the pixel was present on 30% of the top 100,000 websites. Then, The Markup began collaborating with Mozilla, which makes the Firefox web browser, to try to learn more. 

Mozilla has a project called Rally that lets users contribute their data toward public interest research projects. In January, The Markup and Mozilla launched a crowdsourced study of the presence of the pixel and the data it collects. Through the project, called Facebook Pixel Hunt, thousands of Firefox web browser users volunteered to download software that logged their interactions with Facebook’s pixel. Reviewing that data is what led to several investigative stories.

Fondrie-Teitler, an infrastructure engineer, was going through a list of the different domains that were sending data such as ZIP code, first name, last name and phone number to Facebook. He saw one from MyChart, an online portal to schedule medical appointments and check test results, etc., sold by the electronic health record Epic. “I was like, well, that seems bad,” he said. “Then, pretty quickly after that, I found a few other MyChart instances that were doing this. I had used MyChart in the past, so I knew what it was. And I had done HIPAA compliance work in the past, so I was thinking, ‘This seems to be a problem.’”

HIPAA is the federal Health Insurance Portability and Accountability Act, a law prohibiting hospitals and others from sharing personally identifiable health information with third parties except under a contract or with that person’s permission.

Here is part of AHCJ’s interview with Fondrie-Teitler and Feathers. Responses have been slightly edited for brevity and clarity.

How did the pixel tool get installed on hospital websites?

Feathers: I don’t feel like we have a level of clarity I still would like on it. We asked every hospital that we included in the story about how this happened. A few responded. Novant Health said they had a third party, like a vendor handling their marketing campaign, install it, and they released a statement. A couple of other hospitals said they had vetted it and installed it themselves. 

One distinction that’s important to note is that Facebook is not putting this unilaterally on hospital websites. Somebody at a hospital or working for a hospital is doing this. 

Fondrie-Teitler: We also don’t have any indication in terms of the MyChart ones that Epic, the maker of MyChart, is adding that there. From what we’ve seen, it’s been hospitals adding it.

How did you select hospitals to target?

Feathers: We chose these 100 hospitals just to have some kind of metric to show how widespread this was, but it’s obviously not perfect. We had a pretty strict criterion. When you were booking an appointment, the website had to send Facebook identifying information about the doctor, and it had to be when you clicked a specific button that said something like ‘Book an appointment’ or ‘Schedule online.’ There were a lot more hospitals where there were pixels present collecting all the information about the doctor pages you visit, but since you had to call to schedule an appointment at those hospitals, we didn’t include them.

Who did you contact at those hospitals? Executives? Public relations staff?

Feathers: Before we started to document our evidence, I reached out to a doctor at a hospital in Chicago to say, “Hey, I booked an appointment through the website with you. Here’s all the information that is sent to Facebook. Do you want to talk about this?” Within a couple of days of reaching that doctor, the pixel was gone off of that website. So, after that, we were very careful. We documented everything. Then we reached out to the PR folks. We also had a couple of conversations with people who had been regulators and also worked with hospitals in the kinds of executive positions that would handle this. 

How did you find volunteers to share their data?

Fondrie-Teitler: The Rally project had a site where you could go and install the browser extension where users could enroll and contribute data. Mozilla was sending some people there. When we announced this partnership with Mozilla, we put out an article that said here’s how you can go sign up for this. A lot of the signups were driven through that, and then we promoted it on social media and the like.

What were you most surprised by in reporting this story?

Fondrie-Teitler: I would say that [the tool] was there at all. I was definitely not expecting it to be active inside these patient portals, sending details like the date and time of an appointment for a doctor that a patient was meeting with, or the health surveys that patients were taking.

Feathers: I’m not a technical person so I couldn’t have done this without Simon’s know-how. But for somebody with that know-how, this is just out there in the open. Facebook doesn’t hide this…it took work for us to do [the investigation]. But it wasn’t like we had to get some source inside to leak us this information. That speaks to the bigger issue, which is that this tool is so ubiquitous, yet people know so little about how it works. You could end up in these places where nobody knows what data is being collected.

Do you have advice for people to try to protect their privacy?

Fondrie-Teitler: There are privacy extensions you can download that will block requests from Facebook and other sites, so potentially installing one of those is a good option. But I do think that it’s very hard at an individual level, especially for someone who’s not technical, to figure out how to do this.

Do you have thoughts on what will happen with the pending lawsuits?

Feathers: No, but I am very interested to see because prior to our story being filed, there had been a couple of lawsuits related to this, not solely about the pixel but about Facebook ad tracking on hospital websites that had gotten mixed results. As somebody who has a personal investment in this story, I’m really interested to see how the current law is applied to these situations given our findings, because lawyers are telling us that they think current laws are fine, they just need to be enforced. Other people tell us they need more federal privacy.

Fondrie-Teitler: The lawsuits are mostly under state law, in which I have no experience. 

What advice do you have for journalists looking to pursue similar stories?

Feathers: Any basic course or one-on-one learning on how apps and websites work, I would recommend to any journalist at this point. The tool that we used to do the tests is something that you can open in a web browser. I’ve never really worked with it before this story, but now that I have, it’s really easy to do. Get yourself familiar with basic open source tools.

Fondrie-Teitler: If you have people in your newsroom or organization that have expertise in these sorts of areas you can work more collaboratively and cooperatively with, I think that’s really helpful. 

Leave a Reply