Recently, the company Novant Health, a provider of health services in the United States, revealed through a statement that due to a misconfiguration of Pixel, it mistakenly collected personal data from more than 1.3 million patients who were treated at one of its clinics or health care facilities during the past two years. The company used this script on its site to monitor the performance of ads the company had run on Facebook for a COVID-19 vaccination campaign that started in November 2020. All data collected was sent to Meta.
But in addition to this script being added to the website, it was also added to the MyChart portal, which is a secure platform used by Novant Health —and also by many other health providers in the United States— and that allows people to take medical appointments and coordinate appointments, access results, contact a specialist, among other actions.
Information the company may have improperly collected includes: email address, phone number, IP address and contact information, appointment type and date details, chosen medical specialist, or other information added in a comment box. The statement clarifies that neither financial data of patients nor details of the social security number are at risk.
In May 2022 and after two years of use, Novant finally removed Pixel from the MyChart portal and its site after realizing the misconfiguration. In its statement, the company stated that once they realized that the collected information was being sent to Meta, they decided to remove the script as a preventive measure and began an investigation that ended in June this year. After that they began to communicate with the affected people. In addition, they stated that they contacted Meta on several occasions asking them to remove the information, but received no response. Likewise, there is also no evidence that Meta has used this information and no third parties.
As explained by a Meta spokesperson to The Markup, which also conducted an investigation involving the use of Pixel on hundreds of pages of clinics that perform abortions in the United States for the apparent collection of sensitive patient information, he stated that it goes against its policy that sites that use Pexel submit sensitive information about individuals through the tool. Also, the Facebook spokesperson added that Meta filters sensitive data if it detects that a site sends it and warns that it educates those who use the tool to configure it properly.
Research by The Markup looked at nearly 2,500 abortion clinic sites and found that 294 of these sites shared information with Facebook. Many of these sites collected extremely sensitive information, for example, providing information about whether or not a person was considering an abortion or a pregnancy test. In addition, it was discovered that at least 39 of these sites sent Facebook information such as name, email address and phone number.
It is important to mention that it is not known what happens with this information, since Meta has not provided further details when asked about specific cases involving the use of Pixel and the collection of information that supposedly should not be collected. On the other hand, a lawsuit against Meta and two medical centers in the United States, accusing the technology giant and its clients of collecting private information without people’s consent.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.