Daniel Hunwick
Living in the new age of technology means that many of us have observed dramatic shifts in our lives; oftentimes for the better. In the medical field alone, transformative changes made possible by progressions in artificial intelligence and medical coding have given us the ability to monitor, analyse, and collect health data.
However, every breakthrough brings with it new hurdles. The failure of large corporations to adhere to data protection legislation in the UK and US is creating more distrust between patients and healthcare providers. The ways in which data is currently collected and traced may well need to adapt to prevent tech conglomerates from exploiting patients’ private information for marketing.
Although abiding by data protection laws, tracking pixels are used to help companies market to their target audience. Unseen, they can be embedded into adverts conspicuously. Tools such as Google Analytics and Facebook Pixel work with companies, using cookies to gather ‘unidentifiable’ – that is, anonymous – information to customise advertisements for a particular consumer. Most apps you use – from Pizza Hut to Uber – use location data to determine your whereabouts.
While it may seem arbitrary for companies to gather basic information from customers, when it comes to healthcare, the collection and selling of personal data is cause for concern. Specifically when regarding sensitive medical information, data tracking can pose a direct and notable risk to users’ privacy. This is becoming evident in the US, where law enforcement may request private, personal, and medical data from companies when investigating abortions in banned states.
US conglomerate, Meta, has faced legal action in both Europe and the US for the illicit tracking of users’ data, obtained via a specific piece of embedded code known as the ‘Meta Pixel’. This code enables tracing of a user’s online activity to create personalised ads targeted to each individual: the technology behind the eerie experience of receiving an ad for a product you need but don’t remember searching for.
The key danger here arises when this information is tracked without explicit user consent or even awareness. Under the General Data Protection Regulation (GDPR) privacy law, enforced throughout the European Union, cookie consent must be obtained before any information is collected – or shared. Any data collected without GDPR adherence is an infringement on users’ privacy. An even greater breach of privacy occurs when this data includes sensitive medical information.
The most recent Meta Pixel controversy, uncovered by an enquiry from The Observer, concerned just that. Twenty NHS trusts are now under investigation by the Information Commissioner’s Office after the Meta Pixel tool was discovered embedded in their respective NHS portals and websites. In a gross breach of privacy, the identifiable medical information collected – including access to mental and sexual health services – was shared with what The Observer described as ‘tech giants’ to create and direct identity-specific ads to users.
Statements from NHS Trusts in England have assured they had no prior knowledge of the pixel’s activation, and removal of the Meta Pixel code has been undertaken by several of the concerned NHS Trusts. However, after years of undisclosed activation and upwards of 22 million in England alone illegally tracked, pixel deactivation, for many, is just not enough.
The Meta name may be familiar; they own several widely used social media platforms including WhatsApp, Instagram, and Facebook – the centre of the infamous Cambridge Analytica scandal back in 2018, in which personal information was, again, collected without the user’s knowledge and shared to create, most notably, targeted political ads. Meta settled the resulting class action suit with a payout of £600 million in December 2022, but was heavily criticised for their lack of accountability or any future data safeguarding policies.
Unfortunately, these are far from isolated events. Meta was fined £1 billion by Ireland’s Data Protection Commission for the same data tracking offence just a month before the NHS data breach was publicised.
In the US, where GDPR does not apply, HIPAA (the Health Insurance Portability and Accountability Act) is responsible for protecting an individual’s ‘personal health information’, including online. Collection of private medical data by Meta, or any company, without an individual’s consent, violates HIPAA and constitutes grounds for prosecution. Federal lawsuits have been filed by American individuals claiming their personal information has been illegally collected and exploited by Meta, using the Meta Pixel, for marketing purposes.
The challenge of medical data breaches, however, is that only the US government is allowed to file a lawsuit specifically regarding a HIPAA violation. Despite a history of data exploitation by Meta and a failure to ensure private medical information has been ‘de-identified’, as HIPAA specifies it must be, plaintiffs are having difficulty standing against such a huge monopolising conglomerate on their own. What’s more difficult is that the ‘successful’ lawsuits filed against Meta for HIPAA violations have often ended in monetary settlements, essentially absolving Meta from any serious liability.
In 2022, a settlement of $90 million was reached with Meta in the Northern District of California following the discovery of the Meta Pixel in online hospital networks – a violation almost identical to this recent NHS data breach. These lawsuits, along with building public backlash against a clear violation of personal privacy online, open up a discussion about the role of Big Tech and personalised marketing in the future.
The convenience and excitement of new technology is closely followed by apprehension and fear for loss of privacy and data autonomy. As regulations and acts instituted to protect users’ data from exploitation seem to once more fail, the NHS is again shrouded in controversy.
References
Bhuiyan, J. (2023) ‘Health data privacy post-Roe: can our information be used against us?’, The Guardian, 24 June. <https://www.theguardian.com/us-news/2023/jun/24/health-data-privacy-protection-roe-abortion-tech-laws> accessed 27 June, 2023. Online.
Das, S. (2023) ‘NHS data breach: trusts shared patient details with Facebook without consent’, The Observer, 27 May. <https://www.theguardian.com/society/2023/may/27/nhs-data-breach-trusts-shared-patient-details-with-facebook-meta-without-consent> accessed 27 June 2023. Online.
European Data Protection Board, (2023) ‘1.2 billion euro fine for Facebook as a result of EDPB binding decision’, 22 May. <https://edpb.europa.eu/news/news/2023/12-billion-euro-fine-facebook-result-edpb-binding-decision_en.> accessed June 25 2023. Online.
Ganiyu, I.S. (2021) ‘Facebook Pixel vs Google Analytics: 5 Critical Differences’, Hevo Data, 25 June.
<https://hevodata.com/learn/facebook-pixel-vs-google-analytics/> accessed June 26 2023. Online.
Graves, K.(2023) ‘Surrey NHS trust apologises after Facebook patient data breach’ Surrey Live, 31 May.
<https://www.getsurrey.co.uk/news/surrey-news/surrey-nhs-trust-apologises-after-27025612> accessed June 26 2023. Online.
Ikeda, S. (2023) ‘Sensitive Patient information was Sent Through Meta Pixel by NHS Trusts’, CPO Magazine, 31 May.
<https://www.cpomagazine.com/data-privacy/sensitive-patient-information-was-sent-through-meta-pixel-by-nhs-trusts/> accessed June 26 2023. Online.
McCallum, S. (2022) ‘Meta settles Cambridge Analytica scandal case for $725m’, BBC News, 23 December.
<https://www.bbc.co.uk/news/technology-64075067> accessed June 25 2023. Online.
Vittorio, A. (2022) ‘Meta’s Pixel Cases Stir Trouble for Health Site Tracking Tools’, Bloomberg Law, 10 August. <https://news.bloomberglaw.com/privacy-and-data-security/metas-pixel-cases-stir-trouble-for-health-site-tracking-tools> accessed June 26 2023. Online.
Wetsman, N. (2022) ‘Meta sued for violating patient privacy with data tracking tool’, The Verge, 2 August. <https://www.theverge.com/2022/8/2/23288612/meta-hosptials-sued-patient-privacy-facebook-data-hipaa> accessed 26 June 2023. Online.
Published 08-08-2023
Category: Featured Articles