Atrium Health and Novant Health Inc. are among 33 major healthcare systems nationwide where certain patient information was tracked and made available to Facebook, according to a report released Thursday by The Markup.

The Markup is a nonprofit investigative media outlet that specializes in mining technology data for its reports.

The Markup began its report by saying that "a tracking tool installed on many hospitals’ websites has been collecting patients’ sensitive health information — including details about their medical conditions, prescriptions and doctor’s appointments — and sending it to Facebook."

The group said the tracking tool, known as Meta Pixel, was found on the websites of 33 of the nation's 100 largest healthcare systems.

The tracker sends Facebook "a packet of data whenever a person clicked a button to schedule a doctor’s appointment." The data is connected to an IP address, "creating an intimate receipt of the appointment request for Facebook," the group said.

The report didn’t go into detail about Atrium’s use of the tracker, but it did provide an example of the use at Novant: Novant was among seven systems using Pixel in their patients’ password-protected portals, the report said.

Ashton Miller, Novant's director of media relations, said Thursday that the entire Novant system was affected by the tracking tool.

Miller said Novant removed the tracker after being contacted by The Markup, which the group confirmed in its report.

The only mention of Atrium in the report is confirmation of its use of the tracker, which still was active when the report was published. Although Atrium owns and operates Wake Forest Baptist Medical Center, only its Charlotte flagship Carolinas Medical Center was mentioned.

Atrium said in a statement Thursday that "because privacy is critically important to us, we have stringent, effective safeguards in place in our digital environment. We will continue to monitor and validate the tools we use to best serve our communities."

The Charlotte Observer reported that Atrium's scheduling page was sending data to Facebook as of Thursday morning. It asked patients to input the condition they’re seeking care for, their age and their location.

Other N.C. healthcare systems listed by the group as providing information to Facebook were Duke University Hospital and WakeMed.

The group said WakeMed removed the tracker after being contacted and before the report was released. Duke University told the group Thursday it has removed the tracker since the publication of the report.

The Charlotte Observer reported that Atrium, Duke University, Novant and WakeMed recorded more than 4 million admissions and outpatient appointments in 2020, according to data from the American Hospital Association.

Researchers determined that UNC Rex and UNC Hospitals did not participate, while Cone Health was not included in the review of the top-100 U.S. hospitals.

"The data sharing likely affects many more patients and institutions than (the 100) we identified," the groupsaid.

Novant involvement

Novant was featured in a section of the group's report. The Markup said it created a MyChart account to determine the breadth of the tracker.

"We found the Meta Pixel collecting a variety of other sensitive (patient) information."

"Clicking on one button prompted the pixel to tell Facebook the name and dosage of a medication in our health record, as well as any notes we had entered about the prescription. The pixel also told Facebook which button we clicked in response to a question about sexual orientation."

Miller said the tracker was implemented by a third-party vendor in 2020.

Miller sent The Markup a statement that included "we appreciate you reaching out to us and sharing this information. Our Meta pixel placement is guided by a third-party vendor, and it has been removed while we continue to look into this matter."

In Miller's statement Thursday, she said the vendor was hired "to help us develop and implement a campaign designed to encourage individuals to sign up for MyChart."

"The goal of this endeavor was to get more people to take advantage of virtual care opportunities, especially since COVID was having a significant impact on how people preferred to receive care, as well as on our resources to provide in-person care.

"We used tracking pixels to determine how many people signed up for MyChart, not what they did after they signed in."

Miller said that Novant "takes privacy and the care of patient information very seriously ... and we value the trust our patients place in us to keep their medical information private."

How it works

The Markup said Meta Pixel "is a snippet of code that tracks users as they navigate through a website, logging which pages they visit, which buttons they click, and certain information they enter into forms."

In exchange for installing its pixel, Meta provides website owners analytics about the ads they’ve placed on Facebook and Instagram and tools to target people who’ve visited their website.

The group said it is one of the most prolific tracking tools on the internet, present on more than 30% of the most popular sites.

Facebook’s parent company, Meta, did not respond to questions from the group.

Spokesman Dale Hogan sent a brief email to The Markup paraphrasing the company’s sensitive health data policy.

“If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems,” Hogan wrote.

According to the group, the federal Health Insurance Portability and Accountability Act lists IP addresses as one of the 18 identifiers that, when linked to information about a person’s health conditions, care, or payment, can qualify the data as protected health information.

"Unlike anonymized or aggregate health data, hospitals can’t share protected health information with third parties except under the strict terms of business associate agreements that restrict how the data can be used," according to the report.

The group said that former regulators, health data security experts and privacy advocates who reviewed The Markup’s findings said the hospitals in question may have violated HIPAA.

"The law prohibits covered entities like hospitals from sharing personally identifiable health information with third parties like Facebook, except when an individual has expressly consented in advance or under certain contracts," according to the report.

"Neither the hospitals nor Meta said they had such contracts in place, and The Markup found no evidence that the hospitals or Meta were otherwise obtaining patients’ express consent."

The group said Facebook itself is not subject to HIPAA, but the experts interviewed for the report "expressed concerns about how the advertising giant might use the personal health data it’s collecting for its own profit."

The Markup was unable to determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways.

