Four of the state’s largest health care systems sent sensitive patient information to Facebook, according to a report published Thursday by The Markup and STAT.
The story implicated Atrium Health Carolinas Medical Center, Duke University Hospital, Novant Health and WakeMed.
The MarkUp tested the websites of Newsweek’s top 100 hospitals in America. The publication found 33 of them used a tracker called the Meta Pixel, which sends Facebook a packet of data whenever a person clicked or tapped a button to schedule a doctor’s appointment.
Potential information Facebook could have received includes patients’ health conditions, allergies and sexual orientations.
The Meta Pixel sends information to Facebook via scripts running in a person’s internet browser, so while individuals are not identified by name or home address, the data packet passes along an IP address that can be used in combination with other data to identify an individual or household.
A Duke Health spokesperson told WRAL News it planned to remove the Meta Pixel “as soon as possible” from its website.
“Duke Health is committed to protecting the privacy of health information of our patients,” Duke Health wrote in a statement. “Upon investigation of the issue raised in the report that appeared this morning, we have removed the Meta Pixel image.”
A Novant Health spokesperson said it has also removed the Meta Pixel from its website. Novant Health also issued a written statement.
“We take privacy and the care of patient information very seriously at Novant Health and we value the trust our patients place in us to keep their medical information private,” Novant Health wrote. “Approximately two years ago, we engaged a third-party vendor to help us develop and implement a campaign designed to encourage individuals to sign up for MyChart.
“The goal of this endeavor was to get more people to take advantage of virtual care opportunities, especially since COVID was having a significant impact on how people preferred to receive care, as well as on our resources to provide in-person care. We used tracking pixels to determine how many people signed up for MyChart, not what they did after they signed in.”
WRAL News has reached out to Atrium Health Carolinas Medical Center and WakeMed with a request for comment. WRAL News has also reached out to Meta, which is Facebook’s parent company.
In June 2021, WRAL News reported about how health apps are not always covered by the same medical privacy laws such as HIPAA, that protect information patients share with a doctor in person. Even when HIPAA rules do apply, they may not cover all the data an app collects.