Hacker News new | past | comments | ask | show | jobs | submit login
Facebook is receiving sensitive medical information from hospital websites (themarkup.org)
245 points by HieronymusBosch on June 16, 2022 | hide | past | favorite | 75 comments



I cannot believe anyone in these comments is defending Facebook on this.

Should the hospitals have been better so this sensitive data doesn't get to Facebook? Yes.

But we cannot excuse the privacy invasive practices of Facebook and Google (I would be shocked if google was not also getting this data somehow).

And this is not just hospital data, it is certain sensitive apps (I really don't need or want Facebook to know every time I open Grindr), nearly every single thing we do these companies find a way to find out because they weasel their way in by offering some helpful feature that a developer would want to use.


It is a bit sad to see the smartest engineers in the world all working towards implementing and maintaining the largest spying apparatus in history.

We should be focusing on learning from and highlighting people who are working to make the world a better place - and not focusing on employees from these companies. Any online news aggregator could institute a policy to not promote products or services of these companies. Unfortunately, many startups are operating with the hope that these companies acquire them, and so they're all to happy to continue extending this spying apparatus even further into other domains.


> It is a bit sad to see the smartest engineers in the world all working towards implementing and maintaining the largest spying apparatus in history.

It is inevitable when society promotes "fiduciary duty" and "I got mine" as apex values for corporates and individuals, respectively. Unfettered selfishness cannot get to a globally optimal solution, despite what any free market zealots may tell you.

The collective good is out of fashion - it has been for a long time, TBH, but now it is unapologetically so.


Are the best ones doing this? Or is it just sociopathic ones?


It's not a "spy apparatus". It's an ad company... and people from all over the world use these services because it does make their lives easier.


I have turned off I think hundreds of ad targeting switches in Facebook, Google, Windows, and LinkedIn, and despite the incessant passive-aggressive warnings about how ads will be "less relevant", I don't find them to be worse.

I hope you're not one of the weirdos who likes to contradict people and say we are all fooling ourselves and the algorithm knows all.


I have to add something to this.

This post is 45 minutes old and is almost now on page 2 of hacker news. Shit like this has become the norm! We don't think about it anymore. That is a huge problem. We cannot allow this to be the normal!

Ultimately we are the ones that built these tools. Use them.

I know the post rank isn't everything, but people just seem to not care anymore. We should be the ones that care the most because we actually understand (at least more of it) that this is happening in the first place and how it works. But also the dangers of things like this being moved to server side and completely hidden if nothing is done.


Unfortunately, all of the world's richest people seem pretty set on getting rid of privacy as a concept altogether.

https://www.forbes.com/sites/worldeconomicforum/2016/11/10/s...

>Once in a while I get annoyed about the fact that I have no real privacy. Nowhere I can go and not be registered. I know that, somewhere, everything I do, think and dream of is recorded. I just hope that nobody will use it against me.


Mostly because government's don't do shit to stop them, and even when they do, facebook makes millions from that data, and is then fined a few percents of the money earned.

Fines for a single act like this, should be multiple times higher than whatever posible income they could get by gathering data like this.


It saddens me that we need the government to step in on cases like this.

Why has invading users privacy become normal? While Facebook and Google are the largest, it has become common that smaller companies are doing this to pad their bottom line.

As developers we should be pushing back on this. Not using these tools from Facebook and Google that just grow their grip on the web. The tools that invade user privacy in completely invisible ways.


I'm not sure if the developers pushing back is the answer.... it's like a mcdonalds burger-flipper pushing back on mcdonalds shitty meat.

I usually don't believe in regulation, but here is an obvious case for regulation... Does company/app legitimately need data X for the app/service to work? No? Then it's not allowed to collect, store and resell that data. If it does, it should be fined way more, than the data is worth. Did they collect the data for one thing (eg. location data for playing pokemon go) and are using it for another (ad targeting)... agian, a huge fine.


Yeah I guess, I am not against regulation. And it is clearly needed.

It is just more being sad we are at this point.


> It saddens me that we need the government to step in on cases like this.

Every time I see this I chuckle. The first public companies ever created had just two lines of business: selling drugs and selling slaves.

The only reason they ever stopped, was because government stepped in. The expectation that developers can do something is delusional, you need men with guns- I suppose some vigilante citizen militia could also work though.


Why are the hospitals installing a FB/Meta tracker in patient portals? HIPAA is generally taken seriously in industry - this is a weird oversight.


"but we want to know how long they stay on each page of the app and it's free!"

Was the response I got when I explained the issue with Google Analytics in patient portals.


I've had so many clients insist that Google Analytics is absolutely necessary for their site or app since they need the to know as much as possible about who is visiting.

In most cases these same clients never even look at the analytics as the dashboard is too confusing and generating reports too cumbersome.


I can confirm that they did not use any of the data collected.


Can you elaborate on this? It's a patient portal. The patient is logged in, so you know who's visiting. They're visiting pages on your site tied to their own accounts, so you know as much as you can about what they're doing. Why do they need Google involved on this? I don't even understand the concept the clients are trying to convey. It's like someone saying, "I need to go to the store to get milk," but you open their refrigerator and it's full of gallon jugs of milk. What am I not understanding?


IP/location, device used to access, browser used, time spent on the site, other demographics and interests data that may not be part of their user profile but is available thanks to Google tracking cookies, etc.

Most (all?) of which could be developed on their own of course, but that costs more than a one liner to set up Google Analytics.

And again, none of this info was ever actually used. They just felt very strongly that they needed it to better understand their users and improve the experience at some far off future date.


Isn’t matomo open source?


I'm guess I'm just surprised that the product owner (or whoever tends to fill that role in this space) isn't intimately aware of the privacy concerns. There's an entire market of HIPAA-compliant data storage/processing/etc. If there isn't a HIPAA-compliant web metrics solution, I guess that's my million-dollar idea (free for the taking, I have zero interest in building it myself).


This is a common refrain, and the implementers are baffled by any security or privacy concern about it.


Unless it is made into a regulatory compliance concern, they don't want to hear about it.


Because they are for-profit businesses and as such have a strong incentive to spend in ads and for these ads to be as effective as possible. FB and Google are just giving them the means to do so; we should be asking why it is that hospitals are allowed to have these strong economic incentives to begin with.


I complained to kaiser permanente that that they had googletagmanager/doubleclick links all over their site.

This includes the pages to contact my doctor, view test results or even the feedback link for my complaint.

They played dumb for a while, but finally said "the website is a convenience". They also would not delete my account.


It's not uncommon for shit like that to be in a template that gets used across an organization.


Hospitals advertise, just like any other business. I’ve ran campaigns (not Facebook) for maternity wards, cancer centers, rehab, etc. You need to track conversions and exclude current customers, so you need to place trackers in a lot of different places. And you give clear instruction to the marketing guy to not grab any pii, but they might do it anyway.


It's probably an element of the Electronic Health Records system they use. EHR systems are massive and complex, and the health care facilities are barely aware of all the functions and features. I'd say this is a failure of oversight on the EHR providers.


I work at Epic. This is not true. Hospitals have the ability to customize the portal we offer and add in what they want. We're not shipping with Meta Pixel enabled. They added this and didn't understand the full consequences (I hope). When we learned and understood the consequences, we called every customer to share what we know and investigate if they're impacted.

I can't speak to why the consequences weren't more obvious. I don't know. I do know that Epic cares deeply about this and I know that it pisses me off that this happens. But the tech people at hospitals are people and make mistakes. They're likely driven by the business needs and don't have time to fully vet everything.

I think this is a consequence of the American health system and want to implement these products to increase profitability.


I had no idea which EHR vendor was involved.

Edit: I didn't read far enough into the story. I see that Epic was mentioned by name.

I stand by my assertion that it's on the EHR vendor. Did those hospitals specifically enable the private health data be sent?


Yes. They specifically added Meta Pixel or added something else that added Meta Pixel.


A number of pharmacies in Sweden also sent a bunch of data (IIRC for example contents of shopping carts) to facebook via the pixel. All of them are now under investigation by our data protection agency.


I'll probably get downvoted but this article seems highly sensationalized. It blames Facebook, while the blame should be on the hospitals who, for whatever reason, have the FB pixel code in locations where it shouldn't be.


You're suggesting that there are places where the "FB pixel code" should be?


Yes (relatively speaking, only).


The blame should fall squarely on the company providing the electronic health records system, and any regulatory agencies (like the FDA) that are supposed to be overseeing them. The hospitals buy these systems, which are massive and complex, they don't create them in-house. I would not expect them to have the expertise to do so.


More like “hospital websites are sending sensitive medical information to Facebook”


Just because some bad actors are using spyware doesn't mean the party who originally created the spyware shouldn't be considered complicit.

This isn't a case where a tool made for legitimate purposes is being misused, it's a case where the tool has no legitimate purpose.


Come on. This is a tool that has a legitimate purpose - if you buy advertising on FB, you use pixel trackers to find out if it was effective. Did the ad you showed the user lead to them doing the thing you want - buying a shirt, signing up for a newsletter, or in this case, making an appointment? They shouldn't be optimizing on medical search terms, but this is a problem with usage, not the tool.


I disagree. Exposing your users (including non-FB users who visit your website directly) to FB stalking isn’t a good enough justification (and in breach of the GDPR).

You can track advertising effectiveness yourself by having all your ads point to a unique URL with some query parameter (“campaign_id=123”) which preserves the privacy of everyone. FB can stalk their users on their own properties but at least non-FB users are protected from it.


That's true, I can also imagine how the discussions on the project went. Privacy was never mentioned at all

OTOH with that knowledge Facebook might probably want to filter certain keys and values


Looking at the portal for my local hospital and I see a "Google Tag Manager". Right below that is a "Tracking Pixel" and the URL is "https://tags.w55c.net/rs?id=(somejunk)&t=marketing"

When I search whoisdomain "w55c.net" I find it is owned by Roku, Inc. 150 Winchester Circle Los Gatos, CA.

Am I doing this wrong or is the tracking pixel in my local hospital sending data to ... Roku... the company that make the little streaming box I have hooked up to my TV.


You’re probably correct. Your hospital is probably running an advertising campaign through roku and wants to track how successful it is, and exclude serving ads to existing patients (customers).

You can opt out here (ctrl f “ad personalization”): https://docs.roku.com/published/userprivacypolicy/en/US#:~:t....

Or global opt out (do this on all of your devices): https://optout.aboutads.info/?c=2&lang=EN


ohh. That makes sense. Thank you for the reply.


This is amusing:

> “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ ” Facebook engineers on the ad and business product team wrote in a 2021 privacy overview that was leaked to Vice.


This is super widespread, even in the UK. This is the patient portal for one of the two largest medical records systems in the UK: https://account.patientaccess.com/Account/Login

Open the network tab and there's a lot of gstatic network connections.


To be fair, the majority of those gstatic connections are for things like fonts. When you are actually logged in there,s only one (for a font), and that is cached by the browser (because you've received it already).

Worryingly, I saw requests (that ublock stopped) to https://exponea.com/, dc.services.visualstudio.com/v2/track, and googletagmanager, _and_ if I book an appointment it sends the details of the booking to the analytics service... that's pretty horiffic.


I think the principal is that any page with my medical details on it should not load 3rd party JS from external sources. Regardless of its reported function, it's just not ok.


Serving fonts from google is forbidden now in the EU.


That's a bit of a stretch of an interpretation - you can serve fonts via Google as long as you obtain permission, and it being illegal doesn't mean you're going to get put in jail. The case this came from finedthe company €100.


It's more serious than that. From The Register:

> The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.


Hopefully, it's not actually written as dumb as it sounds:

Okay, so we don't serve fonts from google-ish domains. We know server from freefontswithtracking.com a wholly owned subsidiary of Alphabet! See, no longer serving fonts from Googs. /s


It isn't dumb, unless you consider the GDPR dumb. The court says it's easy enough to serve fonts yourself.


The trouble with this argument - and I write this as someone who is generally a strong proponent of privacy safeguards - is that the logical conclusion is the end of the WWW as we know it.

Balkanisation has been a concern for some time mostly because of government regulations in different jurisdictions that conflict.

However if a site can't import any externally hosted resources without getting explicit consent first then that breaks CDNs, payment services that require you to use their versions of scripts for security and/or regulatory reasons, services that host content where providing locally hosted alternatives might not be practical such as video or audio files or mapping data, and the list goes on.

Some reasonable middle ground is clearly needed here. Perhaps there could be some reasonable standard for privacy that those external services can meaningfully promise to maintain and then some sort of safe harbour provision where importing resources from privacy-respecting sources is acceptable. Of course that only works if services that promise to respect privacy and then don't will be hit with meaningful sanctions but the same is true of any obligations under GDPR and other privacy laws today.


> that breaks CDN

CDNs are already broken unfortunately. Both Firefox and Chrome use per-site caches [0].

> payment services that require you to use their versions of scripts for security, services that host content where providing locally hosted alternatives might not be practical such as video or audio files or mapping data, and the list goes on.

That's reasonable, and the GDPR doens't stop you from doing that, but it does mean that you must tell the user that you're loading it from a third party, ask permission to do so, and list the data that you're sharing with that party in exchange for them providing those resources.

[0] https://developer.chrome.com/blog/http-cache-partitioning/


CDNs are already broken unfortunately. Both Firefox and Chrome use per-site caches [0].

But many sites serve their own resources via a CDN for performance and resilience reasons. The major CDNs have the capability to record a lot of history about where systems reachable at a certain IP address have been visiting online. And of course it's impossible for a site that works that way to ask your permission before doing so because it has no way to communicate with you first. The same is true for other services like DNS.

That's reasonable, and the GDPR doens't stop you from doing that, but it does mean that you must tell the user that you're loading it from a third party, ask permission to do so, and list the data that you're sharing with that party in exchange for them providing those resources.

Which is the problem. The logical end result would be like the "cookie consent" junk but much worse. Do we really want a WWW where every service someone encounters needs explicit permission to do its job even if that job is simply to send some generic information to the IP address that requested it? Are we all going to have to download the DNS records for the entire Internet to our local systems every few minutes as well? What about other things we do online that necessarily involving remote servers, like sending an email? Does every system involved in forwarding a message I send to a dozen friends now have to contact me (how?!) and obtain my permission before forwarding the message to the next link in the chain?

There ought to be some reasonable limits to protect privacy. I don't think a website for a medical facility should automatically use Google Maps to show a route from a patient's home address to their facility. But in that case the information request on the user's behalf is much more specific. It's not just the user at 127.0.0.1 visiting some (unknown) site that uses a popular web font for its text and the user's browser then fetches the relevant data from Google Fonts without asking first.


Care to provide more details on what you mean by this?


Last time I looked I found https://patally.co.uk which does the same thing and doesn't have as much nastiness (it only has Google Fonts).


"Coming Next in the Pixel Hunt Series. This children's hospital network is giving kids' names to Facebook."

That's as good a teaser as I've ever seen


Oracle just spent $28B Cerner[1], one of the two largest providers of electronic patient medical records systems. I happen to know personally that at least one of the hospitals mentioned uses Cerner and has used it since the 90s. This sharing of sensitive medical information thing is just going to get worse, unless Congress and the FDA step up strongly.

1 https://techcrunch.com/2022/06/07/oracle-quietly-closes-28b-...


Congress already stepped up in 1996 and 2013. Sharing sensitive medical information like this is already illegal.


I meant in terms of oversight and enforcement. We know that multiple administrations have sought to shrink, or even cripple, federal regulatory agencies. Just because there are laws on the books doesn't mean there's sufficient regulatory power or money to ensure they are followed. An after-the-fact prosecution isn't good enough. Any healthcare provider will tell you that prevention is far preferable to any treatment needed once the patient is sick.


UCHealth’s app does this, and clearly knowingly because it’s spelled out in the Privacy Policy page


I just loaded their webpage up with Network Inspector and found a Tiktok tracking pixel.

Fucking disgusting.


Does anyone know how to tell the FB "pixel" to stop sending the query string to Facebook?

Facebook now alerts you if you're sending what looks like PII to them in the query string, e.g. parameters named "first_name", but after extensive Googling I couldn't find any way to tell the FB code to strip off the query string before sending conversion events back to the mothership.

It's not exactly easy, but with Google Analytics it's at least possible to redact the URL before it gets attached to the transmitted event.

The only thing I could think of was to do for Facebook was to use a redirect (or the History API) to strip the query off the URL before loading the FB pixel, but this will break any other embeds that are relying on query params for e.g. form-filling.


> Does anyone know how to tell the FB "pixel" to stop sending the query string to Facebook?

It's like letting a burglar in your home after asking them not to rob you.

Maybe just not let the burglar enter in the first place?


I set up a DNS entry in my hosts file for all facebook/meta domains (https://github.com/jmdugan/blocklists/blob/master/corporatio...) to be blocked (routed to 0.0.0.0). The effectively blocks any data from the "pixel" because when it tries to send it, the request fails.


This goes to show how little enforcement there is for privacy laws in the United States.


> The Meta Pixel “hashed” those personal details—obscuring them through a form of cryptography—before sending them to Facebook. But that hashing doesn’t prevent Facebook from using the data. In fact, Meta explicitly uses the hashed information to link pixel data to Facebook profiles.

Anyone know what they are talking about? (and getting wrong in some way one way or another).


This is illegal under fed law and HIPAA, right?


> Former regulators, health data security experts, and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts.

> Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent.


You really think that HIPAA prohibits distributing any data at all, providing it has a fig leaf of being deidentified?

I mean, aside from Facebook, how do you think people do medical research? Data sets are available to the public.

Decades ago, somebody showed that deidentification was completely meaningless because with just a few data points almost everybody can be relinked.

You are probably the only person in your zip code, with your gender, and your birthdate (including the year).

Distributing that information with any medical record you ever had is not prevented by anything I know of. As long as your name and SSN is not with it.


illegal for hospitals to expose/sell this information. not illegal for FB to receive it. the moment hospitals/providers start selling it there will be some business out there trying to aggregate and data mine it. be it FB or google or amazon, the key thing is hospitals are break the law by exposing it even if they do it for some really silly instrumentation benefits.


Facebook is a curse on society empowered by the normies storming the internet.


Is "normies" a euphemism for "every day people"?... Jeez.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: