Simon Fondrie-Teitler Todd Feathers
There have been persevering with repercussions from an investigative story published in June by nonprofit information group The Markup, in partnership with STAT, describing how Fb receives delicate medical info from hospital web sites. In a brand new “How I Did It,” Simon Fondrie-Teitler and Todd Feathers, two of the workforce members that labored on the investigation, spoke with AHCJ about how the story happened and what journalists can be taught from the course of.
Extra in regards to the story
The journalists’ investigation revealed that 33 of Newsweek’s high 100 hospitals within the nation used a monitoring software known as Meta Pixel on their web sites that collected affected person info and despatched it to Fb after they booked physician’s appointments. The pixel software was discovered contained in the password-protected affected person portals of seven well being programs, the place it was gathering particulars about sufferers’ medical circumstances, prescriptions and upcoming medical appointments.
The software may be put in on web sites to trace consumer conduct; clicking on sure hyperlinks mechanically sends Fb a packet of data linked to a pc’s IP handle that may be linked to a particular individual or family.
The story shared how clicking the “Schedule On-line Now” button for a physician at Froedtert Hospital in Wisconsin, for instance, prompted the pixel software to ship Fb info linking the consumer to the physician’s title and the situation chosen from a dropdown menu: “Alzheimer’s.”
It’s unclear if Fb or every other third get together did something improper with the info acquired, however a number of hospitals, together with UCLA Reagan Medical Heart, Houston Methodist Hospital and Duke Well being, eliminated the monitoring software from their appointment scheduling pages after being contacted by The Markup.
The pixel software additionally seems to have been faraway from not less than six of the seven affected person portals, Fondrie-Teitler mentioned.
However the fallout continues. Lawsuits have been filed towards UCSF Medical Center and Dignity Health in San Francisco, together with Meta Platforms; towards MedStar Well being System in Baltimore; and towards Northwestern Memorial Hospital in Chicago; alongside with Meta, Fb and Instagram. These have been by plaintiffs upset that their non-public info was shared with out their consent.
Novant Well being in North Carolina said on August 12 that it had despatched letters to 1.3 million sufferers who may have been affected by the pixel misconfiguration, Becker’s Health IT reported. The well being system mentioned the monitoring software was supposed to assist observe the success of a promotional marketing campaign to attach extra sufferers to its MyChart affected person portal, which concerned Fb commercials. Nevertheless it was configured improperly, which allowed Meta to acquire affected person info corresponding to e-mail addresses, telephone numbers, laptop IP addresses, contact info and appointment particulars.
This story is certainly one of a number of in The Markup’s Pixel Hunt series. Further investigations of the Pixel software have centered on how Facebook and anti-abortion clinics are collecting information on would-be patients, how the Nemours Children’s Health network was providing personal information about children and their parents to Facebook, and how the online abortion pill provider Hey Jane used tracking tools that sent visitor data to Meta, Google and others.
The background
Two years in the past, Markup senior information engineer Surya Mattu constructed a real-time internet privateness inspector known as Blacklight that might establish which web sites contained Meta Pixel, Markup founder Julia Angwin wrote in a recent blog post. Utilizing Blacklight, Mattu discovered the pixel was current on 30% of the highest 100,000 web sites. Then, The Markup started collaborating with Mozilla, which makes the Firefox internet browser, to attempt to be taught extra.
Mozilla has a challenge known as Rally that lets customers contribute their information towards public curiosity analysis initiatives. In January, The Markup and Mozilla launched a crowdsourced study of the presence of the pixel and the info it collects. By the challenge, known as Fb Pixel Hunt, 1000’s of Firefox internet browser customers volunteered to obtain software program that logged their interactions with Fb’s pixel. Reviewing that information is what led to a number of investigative tales.
Fondrie-Teitler, an infrastructure engineer, was going by means of an inventory of the completely different domains that have been sending information corresponding to ZIP code, first title, final title and telephone quantity to Fb. He noticed one from MyChart, a web based portal to schedule medical appointments and verify take a look at outcomes, and so on., bought by the digital well being document Epic. “I used to be like, effectively, that appears unhealthy,” he mentioned. “Then, fairly shortly after that, I discovered a couple of different MyChart cases that have been doing this. I had used MyChart prior to now, so I knew what it was. And I had carried out HIPAA compliance work prior to now, so I used to be pondering, ‘This appears to be an issue.’”
HIPAA is the federal Well being Insurance coverage Portability and Accountability Act, a legislation prohibiting hospitals and others from sharing personally identifiable well being info with third events besides beneath a contract or with that individual’s permission.
Right here is a part of AHCJ’s interview with Fondrie-Teitler and Feathers. Responses have been barely edited for brevity and readability.
How did the pixel software get put in on hospital web sites?
Feathers: I don’t really feel like now we have a degree of readability I nonetheless would really like on it. We requested each hospital that we included within the story about how this occurred. Just a few responded. Novant Well being mentioned that they had a 3rd get together, like a vendor dealing with their advertising marketing campaign, set up it, and so they launched a press release. A few different hospitals mentioned that they had vetted it and put in it themselves.
One distinction that’s vital to notice is that Fb just isn’t placing this unilaterally on hospital web sites. Anyone at a hospital or working for a hospital is doing this.
Fondrie-Teitler: We additionally don’t have any indication when it comes to the MyChart ones that Epic, the maker of MyChart, is including that there. From what we’ve seen, it’s been hospitals including it.
How did you choose hospitals to focus on?
Feathers: We selected these 100 hospitals simply to have some type of metric to indicate how widespread this was, but it surely’s clearly not excellent. We had a fairly strict criterion. While you have been reserving an appointment, the web site needed to ship Fb figuring out details about the physician, and it needed to be while you clicked a particular button that mentioned one thing like ‘Guide an appointment’ or ‘Schedule on-line.’ There have been much more hospitals the place there have been pixels current gathering all of the details about the physician pages you go to, however because you needed to name to schedule an appointment at these hospitals, we didn’t embody them.
Who did you contact at these hospitals? Executives? Public relations workers?
Feathers: Earlier than we began to doc our proof, I reached out to a physician at a hospital in Chicago to say, “Hey, I booked an appointment by means of the web site with you. Right here’s all the knowledge that’s despatched to Fb. Do you need to discuss this?” Inside a few days of reaching that physician, the pixel was gone off of that web site. So, after that, we have been very cautious. We documented the whole lot. Then we reached out to the PR of us. We additionally had a few conversations with individuals who had been regulators and in addition labored with hospitals within the sorts of government positions that might deal with this.
How did you discover volunteers to share their information?
Fondrie-Teitler: The Rally challenge had a web site the place you can go and set up the browser extension the place customers may enroll and contribute information. Mozilla was sending some individuals there. After we introduced this partnership with Mozilla, we put out an article that mentioned right here’s how one can go join this. A number of the signups have been pushed by means of that, after which we promoted it on social media and the like.
What have been you most shocked by in reporting this story?
Fondrie-Teitler: I’d say that [the tool] was there in any respect. I used to be undoubtedly not anticipating it to be energetic inside these affected person portals, sending particulars just like the date and time of an appointment for a physician {that a} affected person was assembly with, or the well being surveys that sufferers have been taking.
Feathers: I’m not a technical individual so I couldn’t have carried out this with out Simon’s know-how. However for any person with that know-how, that is simply on the market within the open. Fb doesn’t cover this…it took work for us to do [the investigation]. Nevertheless it wasn’t like we needed to get some supply inside to leak us this info. That speaks to the larger concern, which is that this software is so ubiquitous, but individuals know so little about the way it works. You can find yourself in these locations the place no person is aware of what information is being collected.
Do you have got recommendation for individuals to attempt to defend their privateness?
Fondrie-Teitler: There are privateness extensions you possibly can obtain that can block requests from Fb and different websites, so doubtlessly putting in a kind of is an efficient possibility. However I do suppose that it’s very laborious at a person degree, particularly for somebody who’s not technical, to determine how to do that.
Do you have got ideas on what’s going to occur with the pending lawsuits?
Feathers: No, however I’m very to see as a result of previous to our story being filed, there had been a few lawsuits associated to this, not solely in regards to the pixel however about Fb advert monitoring on hospital web sites that had gotten combined outcomes. As any person who has a private funding on this story, I’m actually to see how the present legislation is utilized to those conditions given our findings, as a result of attorneys are telling us that they suppose present legal guidelines are high-quality, they simply should be enforced. Different individuals inform us they want extra federal privateness.
Fondrie-Teitler: The lawsuits are largely beneath state legislation, during which I’ve no expertise.
What recommendation do you have got for journalists trying to pursue related tales?
Feathers: Any primary course or one-on-one studying on how apps and web sites work, I’d suggest to any journalist at this level. The software that we used to do the assessments is one thing you can open in an internet browser. I’ve by no means actually labored with it earlier than this story, however now that I’ve, it’s very easy to do. Get your self aware of primary open supply instruments.
Fondrie-Teitler: When you have individuals in your newsroom or group which have experience in these types of areas you possibly can work extra collaboratively and cooperatively with, I believe that’s actually useful.
