Covert tracking tool on trust webpages passed on medical information to US tech giant in 'unacceptable' privacy breach
- The Meta Pixel tracking tool was being used by the webpages of 20 NHS trusts
- Details shared included information about medical conditions and treatments
NHS trusts have been sharing the private medical information of patients with Facebook via a covert tracking tool on their websites, a probe has found.
The tracking tool was being used by the webpages of 20 NHS trusts to collect browsing information before sharing it with tech giant Meta, Facebook's parent company.
The major privacy breach, uncovered by The Observer, included intimate details about patients' medical conditions, appointments and treatments.
Data obtained by the Meta Pixel tool could then be used by the social media giant for business purposes, including targeted advertising.
The probe found 17 of the 20 NHS trusts using the tool, which serve more than 22 million patients in England, had pulled the tracker from their websites over the weekend.
Many of the trusts said they had installed the tracking pixels to monitor recruitment or charity campaigns and were not aware that they were sending patient data to Facebook.
But information was collected from patients who visited NHS webpages about self-harm, sexual health and cancer.
One of the trusts, the Buckinghamshire Healthcare NHS group, previously said in its privacy policy that 'confidential personal information about your health and care... would never be used for marketing purposes without your explicit consent'.
In one case, it was revealed the trust shared when a patient had viewed a handbook for HIV medication before sending the name of the drug, the user's IP address and details of their Facebook page to Meta.
In a statement to the Observer, the trust apologised to patients and said Meta Pixel had been 'installed in relation to a recruitment campaign, and we were not aware that Meta was using this information for marketing purposes'.
A spokesperson added: 'Immediate action has been taken to remove it.'
The Tavistock and Portman NHS foundation also shared data with Meta when patients visited webpages for its controversial gender identity service.
A further seven NHS trusts have made apologies to their patients.
But privacy experts have slammed the data breach as 'completely unacceptable'.
Wolfie Christl, who has previously investigated the ad tech industry over data privacy, said: 'This should have been stopped by regulators a long time ago. It is irresponsible, even negligent, and it must stop.'
The Information Commissioner's Office and NHS England have confirmed they are investigating the privacy breach.
A spokesperson for the Buckinghamshire Healthcare NHS Trust said: 'The Trust can only apologise that Meta Pixel has been active on our website without the privacy notice being updated to reflect this.
'It was installed in relation to a recruitment campaign, and we were not aware that Meta was using this information for marketing purposes. Immediate action has been taken to remove the Meta Pixel from our website.'
A spokesperson from The Royal Marsden NHS Foundation Trust added: 'Meta pixels are installed across our website to promote certain services and improve patient experience.
'All data regarding visitor activity is anonymised and does not include any patient information or any other personally identifiable information.
'Visitors to our website are asked whether they consent to the use of cookies via a pop-up information box. We regularly review our privacy and cookie policies.'
It comes after Meta was fined 1.2 billion euro (£1 billion) and ordered to stop transferring user data from European users to its US servers earlier this month.
The record fine was levied by Ireland's Data Protection Commission (DPC) after a three-year probe into the social media giant.
The DPC said Meta had breached part of the European GDPR (General Data Protection Regulation) rules in the way it had moved data of Facebook users across borders.
It ordered Meta Ireland to 'suspend any future transfer of personal data to the US within the period of five months' and levied the record fine on the business 'to sanction the infringement that was found to have occurred'.
In response, Meta called the fine 'unjustified'.
dailymail.co.uk
No comments:
Post a Comment