Thursday, June 30, 2022

Facebook Faces Lawsuit Over "Under the Radar" Transfer of PHI

 Meta, the parent company of social media behemoth Facebook is in *big* trouble legally.  As most Americans know, electronic health data must be protected and stored securely.  It is considered "Protected Health Information" (PHI) by the Department of Health and Human services (HHS) and is protected by federal HIPAA laws.  There are specific legal parameters that must be followed to protect this information.  The golden rule of this is that a medical entity must only share this information with entities that are involved with care, such as specialists, or with third party payers such as insurance companies.  However, even when sharing the info must be encrypted so that it can only be seen by the recipient.

Somehow or other, Meta seemed to be unaware of this requirements.  Earlier this month, a lawsuit was filed when it was discovered that many hospitals use a software component from Meta that is called Pixel in the hospitals' online scheduling pages.

According to Bloomberg:

The plaintiff, who wasn’t identified, described himself in the complaint as a patient who has used a Baltimore health system’s portal to review his lab results, make appointments, and communicate with his providers. 

Bloomberg also discovered:

On Thursday, The Markup, a non-profit news organization, published an investigation that found that 33 of Newsweek’s top 100 hospitals use Pixel on their appointment scheduling pages, which the report alleged may violate federal health information privacy laws. Several of the identified hospitals have since removed Pixel, according to the report.

Basically the code from Pixel was taking PHI from patients and sending it to Facebook servers.  It was sent unencrypted and without the knowledge of the patients or the hospitals using Pixel.

This is scary.  At the very least this was a huge oversight by Meta/Facebook.  At the worst it was an intentional violation of federal HIPAA laws and an inexcusable violation of users' rights.

I'm going to follow this one closely.  If you would like the full lowdown on the entire situation, I highly recommend reading the full article on Bloomberg.  It is a short read and well worth the effort.

No comments:

Post a Comment