Facebook: leak of confidential user health data

Meta Pixel, an opportunistic tracker

According to the Observer’s investigation, picked up by The Guardian, 20 NHS establishments have enabled Facebook to recover confidential data on thousands of patients. Problem, none of the hospitals concerned knowingly contributed to this leak. In fact, all the establishments involved used Meta Pixel, an advertising tool to optimize marketing campaigns by installing it on a website.

NHS data breach: trusts shared patient details with Facebook without consent https://t.co/p4Z8jIKIZL

— The Guardian (@guardian) May 27, 2023

Except that, once set up, this famous Pixel tracks and analyzes the behavior of each visitor with a method that leaves little room for anonymity. Everything is recorded: the pages visited, the buttons clicked, the keywords searched, each element is taken into account and then linked to the visitor’s IP address. Even more viciously, this data is linked by Meta’s algorithms to the user’s Facebook account.

Sensitive data recovered by Meta

It will be understood, for Facebook, the data from these NHS websites is absolutely not anonymous. On the contrary, the user is identified, undoubtedly allowing Meta to enrich its database for the purposes of data mining and optimized advertising targeting.

Among the information collected, the Observer’s investigation identifies elements making it possible to bring together a real medical file on the persons concerned. The file thus reveals, for example, that patients documenting themselves on treatments against HIV were tracked and linked to their Facebook account by the Meta algorithm.

Facebook is not at its first attempt

Who could have foreseen such a breach in private data? Lots of people, but obviously not the NHS. However, Meta is known for its very (very) low respect for the privacy of its users. From the United States to Europe, the group has been sanctioned on numerous occasions for not having implemented effective measures against data leaks and in favor of the anonymization of its information gathering.

However, the NHS is not innocent in this story either. While in the United Kingdom the sharing and sale of personal health data has been democratized for a decade, the NHS would have shared two years ago detailed patient information from major pharmaceutical companies.

Meanwhile, in Europe, the privacy infrastructure continues to protect the continent’s citizens rather solidly. While some loopholes remain, overall the GDPR has forced a number of platforms over the past few years to impose strict rules. Meanwhile, the United Kingdom seems to be struggling to make its ersatz regulation, the UK-GDPR, work.