What is Meta Pixel, the code detected on health system websites in NC and beyond?
Four of North Carolina’s largest health care providers sent patient information to Facebook through a tool called Meta Pixel, a recent news report revealed, raising concerns about privacy breaches.
On Friday, a class action complaint filed in federal court in San Francisco alleged a health data breach. It accuses Meta, Facebook’s owner, of violating the Electronic Communications Privacy Act and other privacy laws by “intentionally intercepting” user data.
But what is Meta Pixel?
Meta Pixel is a snippet of code used to track visitor activity. It has also been called Facebook Pixel.
Pixel collects information about what a user does on a website and what websites do in response, according to Meta for Developers, a Facebook site.
The information is sent to Meta, which returns information to website owners about how people use their sites and allows them to determine what ads users will see online and much more.
Events that are commonly recorded by Pixel include viewing a page, completing a registration form, adding payment information and scheduling an appointment.
This seems to align with how health systems were using it. Novant Health and WakeMed had installed Pixel in their respective patient portals. Duke Health and Atrium Health had Pixel on web pages for scheduling appointments.
A Novant Health spokesperson told the News & Observer Thursday that the health system used Pixel to determine how many people signed up for its patient portal MyChart.
Novant, Duke and WakeMed had removed the code from their websites as of Thursday. Atrium had not removed Pixel as of Friday.
Meta’s policies prohibit collecting personal health information and Pixel is supposed to filter that information out, a spokesperson told the nonprofit news organization The Markup. But in this case, health information may have been shared. And federal law requires that personal health data be kept confidential.
Privacy concerns
Justin Sherman, senior fellow at the Duke University Sanford School of Public Policy and head of its data brokerage research project, said Pixel is not the only tool that collects lots of user data. But the transfer of health information is concerning, given limits imposed by the federal Health Insurance Portability and Accountability Act.
“Health is really sensitive, and also matters here because one of the few privacy laws that exists at the federal level is HIPAA , which controls health data shared with what are called covered health entities, and hospitals fall under that category,” Sherman said.
Legal experts who talked to The Markup and STAT News, the two journalism outlets that originally reported the potential data breach, said the use of Meta Pixel in patient portals could be a violation of HIPAA.
HIPAA prohibits health care providers from disclosing patients’ information without their consent, and Pixel collected IP addresses which could theoretically be traced to individual people.
“Knowingly or not, to have hospitals with all these trackers on their pages shows we need more attention to and care about protecting people’s health privacy,” Sherman said.
Pixel has come under scrutiny for collecting other types of data, too. In April, Pixel was implicated in a data breach that sent information from the Free Application for Federal Student Aid to Facebook.
Last week, two North Carolina Republican members of Congress, U.S. Sen. Richard Burr and U.S. Rep Virginia Foxx, sent a third letter to the U.S. Department of Education seeking answers about the FAFSA breach. Burr and Foxx first wrote the department in May.
Burr and Foxx have demanded that the department hand over records about its relationship with Facebook to Congress by June 24.
This story was originally published June 20, 2022 at 6:00 AM.
