Warner Expresses Concern Over Meta’s Collection of Sensitive Health Information – Press Releases

WASHINGTON — Today, U.S. Senator Mark R. Warner (D-VA) wrote to Meta CEO Mark Zuckerberg expressing concern and requesting more information regarding Meta’s practice of collecting information about the user health through tracking apps.

In the letter, Senator Warner highlighted the need for user privacy and increased transparency about how user data is collected online, which has become increasingly important as the use of telehealth appointments, online appointment scheduling and electronic record keeping increased exponentially over the course. of the pandemic.

“As we increasingly move healthcare online, we need to ensure that strong safeguards are in place around the use of these technologies to protect sensitive healthcare information,” wrote Senator Warner.

Specifically, Senator Warner drew attention to Meta Pixel, a tracking tool that sends Meta a packet of data each time a user clicks a button to schedule a doctor’s appointment – at without the knowledge of the person making the appointment.

He continued, “I am disturbed by the recent revelation that the Meta Pixel was installed on a number of hospital websites – including password-protected patient portals – and the sending of sensitive health information to Meta when a patient made an appointment online. This data included highly personal health data, including patients’ medical conditions, appointment subjects, doctors’ names, email addresses, phone numbers phone numbers, IP addresses and other details of patients’ medical appointments.

Senator Warner also noted allegations that this data gathering and harvesting practice has been used by Meta to target advertisements on their platforms. In August this year, two lawsuits were filed against the company for allegedly unlawful collection and sharing of health data without consent.

To address these concerns, Senator Warner asked Meta to answer the following questions:

  1. What information does Meta access or receive directly from Meta Pixel, currently or previously?
  2. How does Meta store the information received via the Meta Pixel?
  3. Has the information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
  4. How does Meta handle sensitive information it receives from third parties that violate its business guidelines?
  5. What steps does Meta take to protect sensitive health information, especially with third-party vendors? Since The Markup’s report was published in June, what additional steps have been taken?
  6. According to the report released last year by the New York State Department of Financial Services, Meta said the screening system “is not yet working with full accuracy.” What improvements have been made to make the filtering system more efficient? How does Meta test and evaluate the filtering system’s ability to identify sensitive health information?
  7. Where required by law, does Meta always comply with all notice requirements when the Meta Pixel processes or transmits protected information, in the manner and within the time required by such laws?

Senator Warner has been a leader in Congress for increased transparency and protections around user data and privacy. He introduced the Dashboard Act, which works to increase transparency around data collection; the DETOUR lawwhich would ban companies like Meta from using deceptive dark schemes to manipulate users into handing over their data; and the Public Health Emergencies Privacy Actthat would establish strong and enforceable privacy and data security rights for health information.

A copy of the letter can be found here and below.

October 20, 2022

Dear Mr. Zuckerberg:

I am writing to you today to express my concern over Meta’s collection of sensitive health information through the Meta Pixel tracking tool without user consent.

As you know, I have long worked to protect user privacy and increase transparency about how user data is collected and shared. This mission is more urgent than ever as the past two years have shown us the importance of healthcare technology, with many relying on electronic health records, online appointment booking and virtual patient portals. patients to receive care during the pandemic. As we increasingly move healthcare online, we must ensure that we have strong safeguards in place around the use of these technologies to protect sensitive health information.

I am disturbed by the recent revelation that the Meta Pixel has been installed on a number of hospital websites – including password protected patient portals – and the sending of sensitive health information to Meta when a patient made an appointment online. This data included highly personal health data, including patients’ medical conditions, appointment subjects, doctors’ names, email addresses, phone numbers, IP addresses, and other details about patient medical appointments. Additionally, recent allegations that Meta used Meta Pixel data to inform targeted advertisements on Meta’s platforms are of particular concern. Use of the Meta Pixel is widespread, as the tool was installed in the systems of 33 of the nation’s top 100 hospitals and inside the patient portals of seven health systems at the time of the survey.

Unfortunately, privacy issues involving the Meta Pixel are nothing new, as there has been prior review of the Meta Pixel outside of the healthcare context. Reports earlier this year revealed that the Pixel was sending personal information to Meta that had been collected from the Free Application for Federal Student Aid (FAFSA) on the Federal Aid Office website. for Students (FSA) within the US Department of Education. The data sent to Meta includes the applicant’s first and last name, email addresses and postal codes. Additionally, this is not the first time your company has been involved in the illicit collection of sensitive health information. In 2021, an investigation by the New York State Department of Financial Services revealed that Meta (then Facebook) was collecting data about users of several health and wellness apps, including the results of readings of the blood pressure and heart rate, period and fertility tracking, pregnancy status and other deeply personal information.

Meta’s own business guidelines state that the business “[doesn’t] want to send websites or applications [Meta] sensitive information about people”, including sensitive health information, which Meta identifies as medical conditions, sexual and reproductive health, mental health, details regarding medical devices and trackers, treatments, results tests, body specs or cycles, treatment locations and other healthcare-related data. Yet, in this most recent case and as we have seen previously, Meta continues to access this highly sensitive information.

It’s critical that technology companies like Meta take their role in protecting users’ health data seriously. Without meaningful action, I fear that these persistent privacy violations and harmful uses of health data will become the new status quo in healthcare and public health.

To address the concerns raised in this letter, I ask that you respond to the following questions by November 3, 2022:

  1. What information does Meta access or receive directly from Meta Pixel, currently or previously?
  2. How does Meta store the information received via the Meta Pixel?
  3. Has the information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
  4. How does Meta handle sensitive information it receives from third parties that violate its business guidelines?
  5. What steps does Meta take to protect sensitive health information, especially with third-party vendors? Since The Markup’s report was published in June, what additional steps have been taken?
  6. According to the report released last year by the New York State Department of Financial Services, Meta said the screening system “is not yet working with full accuracy.” What improvements have been made to make the filtering system more efficient? How does Meta test and evaluate the filtering system’s ability to identify sensitive health information?
  7. Where required by law, does Meta always comply with all notice requirements when the Meta Pixel processes or transmits protected information, in the manner and within the time required by such laws?

I look forward to your prompt responses.

Sincerely,

###

Comments are closed.