Think about the Christmas shopping you’ve been doing online, have ads for those same items been following you around the internet?
It’s not a coincidence, you’re being tracked! Not by a virus or malware, but by companies you know and trust.
A recent report revealed the private, protected medical data of thousands of local patients may have been sent to Facebook by a tracking pixel. So, 5 On Your Side set out to uncover what these pixels are and what else they’re exposing about you.
Alex Ondrick was one of the WakeMed patients who received a letter from the hospital in October. It warned him that some of his medical information may have been sent to Facebook.
“Interestingly, my mother also got the letter, my step-dad got the letter, several of my friends also got the letter,” Ondrick told 5 On Your Side.
A news outlet called ‘The MarkUp’ found that WakeMed and Duke University Hospital were using a tracker on their websites called the Meta Pixel. We’re talking about a pixel, like the millions of pixels that make up the picture on your TV or computer screen.
“Those pixels can also be used to house code, to house information,” said former CIA Cyber Threat Analyst Clark Walton. “In this particular case, it’s a very unique piece of code that takes information regarding whoever is using that website at the time, and sends that back to the web server of whoever is implementing that. In the case at hand, it’s Meta or Facebook .”
Walton told us that the code can gather detailed information about your browsing habits, user preferences and what you click on. The owner of the pixel, such as Meta, gets that raw data. The information is then boiled down to marketing data and sent to the owner of the website.
“The technology is not specific to Meta, certainly could be anyone,” Walton said.
These pixels are on websites of all kinds, created and used by companies big and small. They’re invisible and you don’t get the option to block them like you do ‘cookies’.
“There’s not necessarily, to my knowledge, a way to opt out of if you go to a private website that’s using that pixel technology,” said Walton.
In “The MarkUp’s” reporting, various hospital websites were sending information about patients’ medications, allergies and even sexual orientation to Meta.
5 On Your Side reached out to both Duke Health and WakeMed, offering the chance to interview for this story. Both declined.
Duke Health officials sent a statement saying, “Duke University Health System values the privacy of its patients’ medical information. DUHS has investigated the use of the Meta Pixel on our website and patient portal and has determined that DUHS did not transmit its patients’ protected health information to Meta. We continue, however, to study the issue and may share additional information if and when appropriate given pending litigation and ongoing external investigations into these matters.”
WakeMed told us they shared information directly with patients who may have been impacted and set up a dedicated phone line and email address to address any additional questions or concerns.
“I reached out via email, expressed my concern,” Ondrick told 5 On Your Side.
And he got a response, a call from WakeMed’s Chief Compliance and Privacy Officer.
Ondrick praised that, “Very, very encouraged by WakeMed’s response.”
But said the call didn’t offer the answers he was looking for. “Even in my conversation, I still don’t have a warm fuzzy on what all was transmitted in error, or if there was a misconfiguration. So, I don’t really know,” Ondrick told us.
Walton says any misconfiguration should have been caught when the pixel was installed. For WakeMed, that was 2018.
“They should be testing it and customizing it,” Walton said. “If I am the hospital’s regulatory attorney, I’m going to want to make sure that that program, that ad program, passes muster in terms of what information is that collecting on my patients as they’re using that web portal? And what of that information is actually being sent back to Meta and is that compliant with HIPAA? Is that going to identify those patients somehow and be non-compliant with HIPAA? Or is it done possibly in an anonymous way that could be in compliance with HIPAA? “
WakeMed, Duke, Meta and other hospitals are all being sued over this Pixel issue.
“There have been violations of HIPAA, invasions of privacy, simply sharing that information,” said Gary Jackson, one of the attorneys who filed a suit against WakeMed. Jackson believes HIPAA was violated because hospitals didn’t get patients’ consent to share this data and it wasn’t anonymous.
“There was a benefit to WakeMed, no benefit to the patient and worse, no knowledge by the patient,” Jackson said.
It’s likely that patients like Ondrick will have to wait until the court battle plays out to fully understand how much of their medical history may have been compromised.
“I have a lot of questions and as a consumer, I want to make sure my data is safe and secure,” Ondrick told us.
UNC Health was not part of The MarkUp’s initial reporting, but we asked if they used Meta Pixel on their site. A spokesperson said they have used Meta Pixels in the past, but they did not clarify when. The spokesperson said UNC never used the Meta Pixel on any authenticated data where patient information was stored.
Here’s their complete statement: “UNC Health is committed to protecting patient privacy, especially in this age of digital information and electronic medical records. We recognize that our patients and their families trust us with their most personal health information. UNC Health has taken a conservative approach regarding tracking pixels on unchealth.org. There has been no use of tracking pixels on any authenticated data where patient information is stored, such as MyChart. UNChealth.org uses tools that analyze online traffic data, such as Hot Jar and gSight, to support consumer experience with navigation and useful content. These tools allow us to make improvements to the website.”
To protect your personal information online, Walton says:
-Treat web browsing like you’re in a crowded restaurant and people can see your screen.
-Know that even a secure website (https) may still send your data to a third-party through a pixel.
-And check out a web browser called “Brave”. It’s free and claims it blocks trackers by default and never saves your private information.
Meta released a statement after The MarkUp’s initial reporting saying: “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”