GREENSBORO, N.C. (WGHP) – Novant Health and Atrium Health Carolinas are among a group of the nation’s largest and most prestigious health care systems that have been providing sensitive patient information to Facebook.

An investigation by Markup and STAT, two nonprofit medical news organizations, found that those systems – along with Duke University Hospital and WakeMed – were among roughly a third of the hospitals on Newsweek’s list of top 100 that used a tracker called  Meta Pixel that sent sensitive material to Facebook whenever someone clicked on a link to schedule an appointment.

Novant Health is on the list of medical systems that are providing patient data to Facebook.

The list of hospitals using the tool included Johns Hopkins University, UCLA Regan Medical Center, New York Presbyterian and Northwestern Memorial.

The Markup described how the data is connected to an IP address that provides contact with the patient’s information. That IP address was provided to Facebook. It’s unclear what Facebook might be doing with that data, but the investigation was clear that this was a link that could provide more insights into a patient’s medical history, treatment and other private details.

Atrium Health-Carolinas is one of 33 hospitals found by The Markup to have sent patient data to Facebook. (GOOGLE EARTH)

WGHP reached out to Novant, which is based in Winston-Salem, and Atrium Health Carolinas, which is based in Charlotte but in 2020 purchased Wake Forest Baptist Health.

“Because privacy is critically important to us, we have stringent, effective safeguards in place in our digital environment. We will continue to monitor and validate the tools we use to best serve our communities,” Dan Fogleman of Atrium’s media relations staff in Charlotte, said in a reply.

“We take privacy and the care of patient information very seriously at Novant Health and we value the trust our patients place in us to keep their medical information private,” Ashton Miller, a public relations manager for Novant, wrote in an email. “Approximately two years ago, we engaged a third-party vendor to help us develop and implement a campaign designed to encourage individuals to sign up for MyChart. The goal of this endeavor was to get more people to take advantage of virtual care opportunities, especially since COVID was having a significant impact on how people preferred to receive care, as well as on our resources to provide in-person care. We used tracking pixels to determine how many people signed up for MyChart, not what they did after they signed in.

“When we were notified about this Meta Pixel, we immediately removed the pixel while we investigate the matter. According to Facebook’s Terms and Conditions, they have policies and filters that block sensitive personal data.”

Sensitive patient info

The Markup reported that Novant and WakeMed were among seven hospital systems that had installed Meta Pixel inside password-protected portals for patients. The exposed data included patients’ sexual orientation, dosage and names of prescriptions and allergies, The Markup reported.

The Markup also recruited patients to participate in something it called the “Pixel Hunt,” in collaboration with Mozilla Rally, which through crowdsourcing had patients send to The Markup data on the Meta Pixel as it appears on sites that they visit.

The report said that “the data sent to hospitals included the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.”

Atrium Health and Duke were found to use the tracking tool on their appointment scheduling page, and The Herald Sun in Durham reported that as of Thursday morning, Atrium’s page was continuing to send information to Facebook.

The Herald-Sun reported that Duke Health removed Meta Pixel from its scheduling page after the report brought the issue to the hospital’s attention. “Duke Health is committed to protecting the privacy of health information of our patients,” officials said in a statement.

Violation of HIPAA?

The Markup said that data, legal and privacy experts it had contacted indicated that these hospitals may have violated the federal Health Insurance Portability and Accountability Act – commonly referred to as HIPAA – which prohibits medical professionals and facilities from sharing personal information with third parties like Facebook without specific permission of the patient.

The Markup said those 33 hospitals reported serving 26 million patients in 2020. The report said that the data-sharing could go beyond the 100 examined.

A spokesperson for Meta, Facebook’s parent company, told The Markup that Meta has a filtering system a filter to remove sensitive health data before it is stored for access by advertisers. The Markup said it was unable to determine if that in fact worked.