Breach alert: NHS trusts found to share private data with Facebook

17 of the 20 NHS trusts that were using the tracking tool confirmed they had pulled it and even issued apologies.
Loukia Papadopoulos
A tracking tool was installed on 20 NHS sites.jpg
A tracking tool was installed on 20 NHS sites.

Pakin Jarerndee/iStock 

A new Observer report has discovered a covert tracking tool in the websites of 20 NHS trusts that allows them to share private patient data with Facebook without consent and despite promising never to do so.

This according to a report by The Guardian published on Saturday.

The data recorded through Meta Pixel is matched to the user’s IP address and in many cases details of their Facebook account. After news of the breach broke this weekend, 17 of the 20 NHS trusts that were using Meta Pixel confirmed they had pulled the tracking tool and even issued apologies.

This has not stopped the Information Commissioner’s Office (ICO) from investigating and privacy experts from expressing sincere concerts.

The ICO said it had “noted the findings” and was considering the matter. “People have the right to expect that organizations will handle their information securely and that it will only be used for the purpose they are told,” a spokesperson said.

Meanwhile, professor David Leslie, director of ethics at the Alan Turing Institute, told The Guardian the transfer of data to third parties by the NHS risked damaging the “delicate relationship of trust” with patients.

“Our reasonable expectation when we’re accessing an NHS website is that our data won’t be extracted and shared with third-party commercial entities that could [use it] for targeting ads or linking our personal identities to health conditions,” he said.

Sam Smith, at medConfidential, a data privacy campaign group, told The Guardian it was never appropriate for the tools to be used to collect health data. “There’s no benefit to NHS trusts in giving this information away. It’s like asking a tobacco company to sponsor a cancer ward,” he said. “NHS England is tacitly approving this by not enforcing anything better.”

But why were the trusts equipped with the Meta Pixel tool to begin with?

One of the trusts that pulled the tracking tool this weekend, Buckinghamshire Healthcare NHS, said the Meta Pixel had been active on its website in error. 

“It was installed in relation to a recruitment campaign, and we were not aware that Meta was using this information for marketing purposes,” a spokesperson said. “Immediate action has been taken to remove it.

Meta is also facing legal action from plaintiffs who claim Meta violated their medical privacy by intercepting “individually identifiable health information” from its partner websites and “monetising.”

Wolfie Christl, a data privacy expert, told The Guardian that this breach should have been discovered far earlier. “This should have been stopped by regulators a long time ago. It is irresponsible, even negligent, and it must stop.”

“Meta says we don’t permit certain types of data being sent to us but they haven’t spent enough on resources to audit this,” Christl said.