



The NHS Trust shares personal details about patients’ medical conditions, appointments and treatments on Facebook without their consent and despite promises never to do so.

Observer investigation reveals covert tracking tools on 20 NHS trust websites that have been collecting browsing information for years and sharing it with tech giants, resulting in a major breach of privacy .

The data includes details of pages viewed, buttons clicked and keywords searched. This is matched with the user’s IP address, identifiers associated with an individual or household, and often Facebook account details.

Information extracted by the Meta Pixel may be used by Facebook’s parent company, Meta, for its own business purposes, including improving its targeted advertising services.

A record of information sent to the company by the NHS website has revealed that it contains data that, when linked to an individual, may reveal an individual’s medical details.

This information is collected from patients who have visited hundreds of NHS webpages on HIV, self-harm, gender identity services, sexual health, cancer, pediatric care and more.

It also includes details when a web user clicks a button to make an appointment, order a refill, request a referral, or complete an online counseling course. Millions of patients can be affected.

This weekend, 17 of the 20 NHS trusts using Meta Pixels confirmed they had removed the tracking tool from their websites.

Eight apologized to the patient. Trusts said they initially installed tracking pixels to monitor recruitment and philanthropic campaigns but were unaware they were sending patient data to Facebook. The Information Commissioner’s Office (ICO) is investigating.

Observers can reveal:

In one case, it was shared by the Buckinghamshire Health Care NHS Trust when a user viewed a patient handbook for HIV medications. The drug’s name and NHS trust were sent to the company along with the user’s IP address and Facebook user ID details.

Liverpool’s Alder Hey Children’s Trust sent details to Facebook when users visited webpages on sexual development issues, crisis mental health services and eating disorders. We also shared data when users clicked to order repeat prescriptions.

London’s Tavistock and the Portman NHS Foundation Trust shared data with Facebook when users clicked on the information page of the Gender Identity Service, which specializes in helping children with gender dysphoria. Data was also shared if a user browsed her webpage for her Portman Clinic, which provides professional support for sexual issues, and clicked on more information about how to browse the service.

The NHS Trust of Surrey and Borders Partnerships shared data with Facebook when a patient clicked a button indicating that they were under the age of 18, live in Brighton and want to use mental health services.

Other NHS trusts sent detailed receipts to Facebook when users visited booking pages or completed online self-help courses. Barts Health NHS Trust, which serves London’s population of 2.5 million, collects data when users click to cancel or change a reservation or add a visit to a particular hospital to their itinerary. Shared with Facebook.

Royal Marsden, a specialized cancer center, submitted data on patients requesting referrals, viewing information about private health care, and viewing pages about specific cancer types.

Sexual Developmental Disorders page on the Alder Hey Childrens Hospitals website. You shared your browsing details with Facebook via a meta pixel.

The findings have alarmed privacy professionals, he said, showing that widespread potential breaches of data protection and patient confidentiality are wholly unacceptable.

Information sent to the Company may include special categories of health data. It is specifically protected by law and is defined as information about an individual’s past, present, or future health conditions, including medical conditions, tests, treatments, and related data that reveal anything. about someone’s health. Any use or sharing without explicit consent or other legal basis is illegal.

Once the data reaches Facebook’s servers, it is not possible to accurately track how it is used. The company says it prohibits organizations from sending sensitive health information and has filters to filter out such data if it receives it in error.

Professor David Leslie, director of ethics at the Alan Turing Institute, said the transfer of data by the NHS to third parties risks undermining a delicate relationship of trust with patients. Our reasonable expectation when visiting NHS websites is that our data will not be extracted and shared with third party commercial entities. [use it] As for targeted advertising and the act of linking a person’s identity to a health condition, he said.

“This should have been stopped by regulators long ago,” said Wolfie Kristol, a data privacy expert who has researched the ad tech industry. It is irresponsible, even negligent, and must stop.

He accused Meta of too little oversight of the information being sent. Meta does not allow certain types of data to be sent to us, but Meta says it does not dedicate enough resources to audit this, Krisl said. .

In most cases, information sent to Facebook during observer testing was automatically transferred when the website loaded, without your explicit consent, before you could choose to accept or decline cookies. rice field. Only 3 out of 20 trusts mentioned Facebook or Meta in their privacy policies. Some trusts have previously promised patients not to share their information or use it for marketing.

Together, the 20 NHS trusts found using the tracking tool serve a population of over 22 million people in the UK, stretching from Devon to the Pennines. Some have used it for years.

Surrey and the Borders Partnership Trust shared data with Facebook when a patient clicked a button indicating that they were under the age of 18, live in Brighton and want to use mental health services.

One of the trusts to use the tracking tool this weekend, the Buckinghamshire Healthcare NHS Trust, previously stated in its privacy policy that sensitive personal information about your health and care cannot be marketed without your explicit consent. He said it would never be used for that purpose.

In a statement, the trust apologized to the patient and said the metapixel had been accidentally activated on its website. The spokesperson said it was installed in connection with a recruitment campaign and was unaware that Meta was using this information for marketing purposes. We have taken steps to remove it immediately.

Alder-Hay asked website visitors to allow cookies and said patient names and addresses are not shared. Tracking tools have been removed.

Royal Marsden said it regularly reviews its privacy policy, but declined to say if it plans to remove the pixels. Barts removed the tracker from its website after it emerged that the tracker was being used to extract personal information beyond its original purpose of measuring response to a job advertising campaign. announced to be deleted.

Several said they were unaware of how their data would be used and apologized to patients for not obtaining consent. Besides the 17 people who have used or are using the tool, Hertfordshire Partnership Trust and Royal Marsden said they were investigating the matter internally, with only Tavistock and Portman not responding to requests for comment. .

The ICO took note of the findings and said it was looking into the matter. Spokespeople have the right to expect organizations to treat their information securely and to use it only for its stated purposes, the spokesperson said.

The revelations about the NHS’ use of the Meta Pixel came after US regulators issued warnings about the use of tracking tools in the country. Last summer, tech website The Markup exposed their use on a healthcare provider’s website. In December, the Biden administration warned that using tracking pixels to collect patient data without consent could violate federal law.

Several major US hospitals are currently being sued by patients over their use of pixels, tiny codes that are invisible during normal browsing.

Meta is also facing lawsuits alleging that it knowingly received sensitive medical information from pages within its patient portal and did not take steps to stop it. Plaintiffs allege that Meta violated medical privacy by intercepting and monetizing personally identifiable health information from partner websites.

Jeffrey Consias, a partner at the law firm of Kiesel in California and one of the lawyers who led the case, said data transfers by the NHS website were similar to what is happening in the United States. Imagine if the hospital sent a letter to Mark Zuckerberg saying, “We want you to know that Jeff Consias is our patient.” That is exactly what is happening here. It’s just happening electronically.

Liberal Democrat health spokeswoman Daisy Cooper called the discovery a shocking discovery that raises serious questions about the protection of patient information. The NHS needs to investigate how this happened and how widespread the alleged data breach is, she said.

NHS England said individual trusts have a responsibility to ensure compliance with data protection laws. The NHS is investigating the matter and will take further action if necessary, a spokeswoman said.

NHS needs to investigate how this happened and how widespread this alleged data breach is

Mehta said he reached out to the trust to remind him of its policy prohibiting organizations from sending health data. To prevent this from happening, the spokesperson said the company is educating advertisers to properly configure their business tools. She added that it is the website owner’s responsibility to comply with data protection laws and ensure that consent is obtained before sending data.

The company did not answer questions about the effectiveness of filters designed to remove potentially sensitive data or what types of information it blocks from hospital websites, even though it is risky. He didn’t even say why he would allow NHS trusts to send data in the first place. Details about a web user’s health may be revealed.

As with any technology, our filters can’t always catch everything. But the spokesperson said we’re constantly improving our systems to ensure we catch them as reliably as possible.

The company provides advertisers with its own business tools, which it says will help them grow their business with health-based advertising. A guide says data collected through the company’s business tools can improve users’ Facebook experience by showing them ads that they are likely to be interested in. When you visit travel websites, you may see advertisements offering hotel discounts.

Sam Smith of data privacy campaign group medConfidential said it would never be appropriate for tools to be used to collect health information. It is of no interest to NHS Trusts to provide this information to any outside party. It’s like getting a tobacco company to sponsor a cancer ward, he says. NHS England acquiesce in this, not enforcing anything better.

