Meta’s Pixel tool, used to monitor the performance of Facebook ads, enabled the collection of sensitive data from over millions of medical patients

Pixel is a monitoring tool that Meta offers to its advertisers in the form of a JavaScript code snippet. Previously called Facebook Pixel, this Meta script allows you to collect data about the activity carried out by visitors to a website. Although Pixel is legitimate, in recent months this monitoring tool has been involved in cases of improper collection of sensitive data.

Recently, the company Novant Health, a provider of health services in the United States, revealed through a statement that due to a misconfiguration of Pixel, it mistakenly collected personal data from more than 1.3 million patients who were treated at one of its clinics or health care facilities during the past two years. The company used this script on its site to monitor the performance of ads the company had run on Facebook for a COVID-19 vaccination campaign that started in November 2020. All data collected was sent to Meta.

But in addition to this script being added to the website, it was also added to the MyChart portal, which is a secure platform used by Novant Health —and also by many other health providers in the United States— and that allows people to take medical appointments and coordinate appointments, access results, contact a specialist, among other actions.

Information the company may have improperly collected includes: email address, phone number, IP address and contact information, appointment type and date details, chosen medical specialist, or other information added in a comment box. The statement clarifies that neither financial data of patients nor details of the social security number are at risk.

In May 2022 and after two years of use, Novant finally removed Pixel from the MyChart portal and its site after realizing the misconfiguration. In its statement, the company stated that once they realized that the collected information was being sent to Meta, they decided to remove the script as a preventive measure and began an investigation that ended in June this year. After that they began to communicate with the affected people. In addition, they stated that they contacted Meta on several occasions asking them to remove the information, but received no response. Likewise, there is also no evidence that Meta has used this information and no third parties.

As explained by a Meta spokesperson to The Markup, which also conducted an investigation involving the use of Pixel on hundreds of pages of clinics that perform abortions in the United States for the apparent collection of sensitive patient information, he stated that it goes against its policy that sites that use Pexel submit sensitive information about individuals through the tool. Also, the Facebook spokesperson added that Meta filters sensitive data if it detects that a site sends it and warns that it educates those who use the tool to configure it properly.

Research by The Markup looked at nearly 2,500 abortion clinic sites and found that 294 of these sites shared information with Facebook. Many of these sites collected extremely sensitive information, for example, providing information about whether or not a person was considering an abortion or a pregnancy test. In addition, it was discovered that at least 39 of these sites sent Facebook information such as name, email address and phone number.

It is important to mention that it is not known what happens with this information, since Meta has not provided further details when asked about specific cases involving the use of Pixel and the collection of information that supposedly should not be collected. On the other hand, a lawsuit against Meta and two medical centers in the United States, accusing the technology giant and its clients of collecting private information without people’s consent.