TTA’s Realignment Autumn 4: VillageMD-Summit?, another Meta Pixel suit, Data Saves Lives, JPM’s health VC forms, partnerships, M&A, more!

 

Weekly Alert

This week, a mix of good and not-so-good news. Nearing year’s end, a flurry of fundings and promising partnerships. Walgreens’ VillageMD looking at a huge provider merger. JPM puts its venture money down on healthcare. UK GPs struggle with Data Saves Lives, as do health systems with lawsuits about Meta Pixel. And sadly, digital health layoffs continue at Kry/Livi and Brightline.

News roundup: WakeMed sued on Meta Pixel; Hint Health buys AeroDPC; Neurotrack’s $10M raise, 3 min. cognitive tool intro; layoffs dim Kry, Brightline (Good and bad news)
News roundup UK, AU, NZ: BMA England’s concerns on digital medical records; Australia and NZ’s health connectivity initiatives advance (Data Saves Lives agita)
J.P. Morgan forms life sciences/healthcare VC group; virtual care Ovatient formed by MUSC Health, MetroHealth; Oracle’s putting lots of KC office space on market (JPM sees opportunity, one new partnership, and office space to let!)
A spooky ‘good news’ roundup: AtlantiCare rolling out Orbita AI, Health Wildcatters Pitch Day, RapidSOS, HealthJoy fundings and more (Good News. Boo!)
VillageMD considering $5-$10B merger with Summit Health provider group: reports (A BIG provider consolidation, if it happens)

‘Fixing the holes’ this week. Global digital health funding is in a hole even deeper than the US. Telehealth a wobbly panacea, whether for discharged urban patients or care for the disabled. The pothole of layoffs hit Cerebral plus Israeli and German companies. Oracle’s Cerner acquisition requires more funding rearrangement, while VA deployment further delayed. Theranos tries the ‘mental’ defense as it digs out of that hole. But some light for Teladoc in narrowing its quarterly loss, and for smartwatches in accelerating adoption.

Is there a way out of the digital health funding black hole? Can it rebound to…2020? (So much depends on the next few months)
Telehealth-only follow up increased repeat ED visits by 2.8%, return admissions by 1.1%: JAMA Network study (Puts a hole in the savings points)
Smartwatches lead wearables, adoption now at 29%: Parks Associates study (Slow but sure development)
Pre-weekend short takes: Teladoc posts much smaller Q3 loss, 17% revenue boost; is telehealth threatening disability care quality; $2.8M for Australian wearables; more healthtech layoffs at Antidote, OrCam, Ada Health
Oracle talks to banks to increase loans funding Cerner buy; VA delays Cerner deployments to June 2023 (Oracle’s hornet’s nest?)
News updates: Theranos’ Holmes goes ‘mental’ in last ditch defense; troubled Cerebral telemental health fires another 400 (Theranos defense shows desperation, can Cerebral be saved?)

Perhaps it’s because the investment froth is off and it’s downscaling time, but the industry’s current and future status is a bit ‘Back to the Future’. A version that’s muted yet fractious, like the Conservative Party….

Meta Pixel is now considered a PHI breach that’s all Meta’s fault. Both Theranos trials move towards sentencing, despite defenses pulling ever-scrawnier rabbits out of hats. Back to antitrust action with CVS-Signify, while CVS apparently walks away from an expected deal with Cano Health. What’s moving forward? Smaller fundings, partnerships, and reorgs in a world resembling…2017 or 2018?

Meta Pixel ad tracker collects another 3 million data breaches at Advocate Aurora Health; Zuckerberg getting Senate scrutiny (Not going away despite denials and Zuckerbucks)
Breaking: CVS’ Signify Health buy under DOJ scrutiny in ‘second request’ (DOJ and FTC crave an antitrust win)
News roundup: CVS abandons (?) Cano Health buy; Signify adds home RPM; BioIntelliSense RPM acquires AlertWatch; GE Healthcare, AMC Health partner; Viome raises $67M, other fundings
Rosendorff stands pat on Theranos’ Elizabeth Holmes: “She needs to pay her debt to society” (He’s right–and now he needs a job and a relo)

There’s no escaping realignments in health tech. CVS sells an inherited business from Aetna. Babylon Health exits the practice business, financially maneuvers to avoid NYSE delisting. Layoffs continue to hit the formerly hot companies in health tech. Theranos’ Holmes and Balwani try to avoid the inevitable sentencing. And we have a Perspectives contribution from Avaya on NHS England’s ICS. 

Theranos’ Holmes sentencing now 18 November, defense wants to expand hearing scope; Balwani can’t join in
News roundup: CVS sells bswift; Babylon puts Meritage IPA up for sale, financially realigning to prevent delisting; Redesign Health sheds 20%, Noom 10%
Perspectives: How joined-up communications can enable connected patient care across healthcare Trusts

Digital health funding jumps off cliff, but UHG and Change a done deal and Theranos’ Holmes gets a new hearing.

Q3 digital health funding craters nearly 50% to $2.2B: Rock Health (2021 was, as it turns out, not the future)
Catchup News Roundup: UHG-Change buy final; Theranos’ Holmes sentencing delayed, ‘limited hearing’ agreed to (A hearing right out of Perry Mason)

Winding up Summer with UHG finally receiving an OK from District Court to complete Change Healthcare buy–unless DOJ pursues appeal. Oracle set to Oracleize Cerner but VA hedges Cerner training with AWS. The Meta Pixel/health data privacy story continues, catching attention from the Senate. Some fundings and buys large and small.

Meta facing some Senate scrutiny on Meta Pixel’s health data collection–and how it’s used (Bad, bad Facebook)
Weekend reading: HHS Office of Information Security presentation on security risks in AI, 5G, nanomedicine, more (Warning, 34 page presentation)
ATA organizes Telehealth Awareness Week this week (And beyond)
Breaking: Judge permits UnitedHealth acquisition of Change Healthcare, denies DOJ motion (updated) (But beware DOJ taking it to appeal)
News roundup: Oracle’s modernizing Cerner’s tech, but VA hedges training with AWS; Redesign Health’s $65M raise; Kyruus buys Epion Health; Zócalo Health raises $5M seed; Cigna Evernorth adds to digital formulary

Have a job to fill? Seeking a position? See jobs listed with our new job search partner Jooble in the right sidebar!

 


Read Telehealth and Telecare Aware: https://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Legrand/Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine, and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

News roundup: WakeMed sued on Meta Pixel; Hint Health buys AeroDPC; Neurotrack’s $10M raise, 3 min. cognitive tool intro; layoffs dim Kry, Brightline

WakeMed has been caught up in the litigation surrounding Meta Pixel. The Raleigh, North Carolina area health system installed it on their MyChart patient portal and website, where it was in place for over four years sending information back to Facebook, violating patient privacy and open to unauthorized misuse. The class action lawsuit filed in NC states that it was installed in March 2018 and not removed until June 2022. PHI cited includes names and contact details; computer IP addresses; emergency contact information; check-in information, such as allergies and medications; appointment details; and, in some cases, Social Security numbers or financial information. Matthiae v. WakeMed Health and Hospitals (ClassAction.org), Becker’s.  TTA’s Meta Pixel articles

Two more acquisitions and fundings announced this week:

  • Hint Health is acquiring AeroDPC, an EHR and practice management software for direct primary care clinics. Purchase price was not disclosed. AeroDPC will operate as a subsidiary of Hint, with cofounder Dr. Brad Brown joining the combined company as medical director. Hint is a platform with a subscription-based payment model for primary care providers that bypasses health plans. It sets them up with enrollment, member management, billing, and administration.  Mobihealthnews   In June, Hint raised $45 million in a funding round led by Banneker Partners and Frist Cressey Ventures. Crunchbase, Mobihealthnews
  • Neurotrack, a startup focusing on developing digital cognitive tools, raised $10 million in new funding, adding to its 2019 $21 million Series C. Putting the raise to work right away, yesterday (1 Nov) it launched a three-minute digital assessment tool to screen for cognitive decline and impairment during the typical 40-minute wellness appointment. CMS guidelines require a cognitive assessment as part of a Medicare beneficiary’s annual wellness visit (AWV) enrolled in Part B or Medicare Advantage, yet only about 25% actually receive one.   Release, Mobihealthnews

Unfortunately, the layoffs do continue. From Layoffs.fyi which track them by industry:

  • Kry, known in the UK, US, and France as Livi, is having its second layoff of the year with 10% (about 300) of its workforce pinkslipped. Back in June, they released 100 employees [TTA 30 July]. While Dagens Nyheter reports that Kry is already profitable in Sweden, overall profitability is elusive. The goal is to achieve it in 18-24 months.
  • On Friday, pediatric virtual behavioral health startup Brightline laid off 20% of their workforce, citing realignment of strategic priorities. A number was not estimated. Brightline raised $115 million between March and July this year from 7Wire and Northwell Health, for a total of $212 million (Crunchbase) and, at that time, a valuation of $705 million. [TTA 1 April]. Brightline provides digital tools, coaches, live therapy sessions, psychiatric services, and medication support for children, teens, and families. Behavioral Health Business

TTA’s Realignment Autumn 2: back to 2017 or 2018 with Theranos, Meta Pixel’s breaches, antitrust on CVS-Signify, downscaled deals and partnerships

 

 

Weekly Alert

Perhaps it’s because the investment froth is off and it’s downscaling time, but the industry’s current and future status is a bit ‘Back to the Future’. A version that’s muted yet fractious, like the Conservative Party (and a possible retreaded PM?)

Meta Pixel is now considered a PHI breach that’s all Meta’s fault. Both Theranos trials move towards sentencing, despite defenses pulling ever-scrawnier rabbits out of hats. Back to antitrust action with CVS-Signify, while CVS apparently walks away from an expected deal with Cano Health. What’s moving forward? Smaller fundings, partnerships, and reorgs in a world resembling…2017 or 2018?

Meta Pixel ad tracker collects another 3 million data breaches at Advocate Aurora Health; Zuckerberg getting Senate scrutiny (Not going away despite denials and Zuckerbucks)
Breaking: CVS’ Signify Health buy under DOJ scrutiny in ‘second request’ (DOJ and FTC crave an antitrust win)
News roundup: CVS abandons (?) Cano Health buy; Signify adds home RPM; BioIntelliSense RPM acquires AlertWatch; GE Healthcare, AMC Health partner; Viome raises $67M, other fundings
Rosendorff stands pat on Theranos’ Elizabeth Holmes: “She needs to pay her debt to society” (He’s right–and now he needs a job and a relo)

There’s no escaping realignments in health tech. CVS sells an inherited business from Aetna. Babylon Health exits the practice business, financially maneuvers to avoid NYSE delisting. Layoffs continue to hit the formerly hot companies in health tech. Theranos’ Holmes and Balwani try to avoid the inevitable sentencing. And we have a Perspectives contribution from Avaya on NHS England’s ICS. 

Theranos’ Holmes sentencing now 18 November, defense wants to expand hearing scope; Balwani can’t join in
News roundup: CVS sells bswift; Babylon puts Meritage IPA up for sale, financially realigning to prevent delisting; Redesign Health sheds 20%, Noom 10%
Perspectives: How joined-up communications can enable connected patient care across healthcare Trusts

Digital health funding jumps off cliff, but UHG and Change a done deal and Theranos’ Holmes gets a new hearing.

Q3 digital health funding craters nearly 50% to $2.2B: Rock Health (2021 was, as it turns out, not the future)
Catchup News Roundup: UHG-Change buy final; Theranos’ Holmes sentencing delayed, ‘limited hearing’ agreed to (A hearing right out of Perry Mason)

Winding up Summer with UHG finally receiving an OK from District Court to complete Change Healthcare buy–unless DOJ pursues appeal. Oracle set to Oracleize Cerner but VA hedges Cerner training with AWS. The Meta Pixel/health data privacy story continues, catching attention from the Senate. Some fundings and buys large and small.

Meta facing some Senate scrutiny on Meta Pixel’s health data collection–and how it’s used (Bad, bad Facebook)
Weekend reading: HHS Office of Information Security presentation on security risks in AI, 5G, nanomedicine, more (Warning, 34 page presentation)
ATA organizes Telehealth Awareness Week this week (And beyond)
Breaking: Judge permits UnitedHealth acquisition of Change Healthcare, denies DOJ motion (updated) (But beware DOJ taking it to appeal)
News roundup: Oracle’s modernizing Cerner’s tech, but VA hedges training with AWS; Redesign Health’s $65M raise; Kyruus buys Epion Health; Zócalo Health raises $5M seed; Cigna Evernorth adds to digital formulary

Back from Two Weeks in Another Town (except for a few extra days), the August-September ‘quiet time’ certainly was not. CVS’ big win in Signify’s auction was on Labor Day. Change may or may not be joining UHG/Optum after October. FTC doesn’t much like Amazon’s acquisitions, including One Medical. And Elizabeth Holmes’ legal team was busily filing–and delaying the (maybe) inevitable, including a declaration straight out of Perry Mason. The passing of a Queen and crowning of a King.

Elizabeth Holmes’ three swings and a miss in overturning her trial verdict reveal a crafty strategy (She’ll be in court long after Sunny Balwani toddles off to prison)
News briefs, catchup edition: UnitedHealth/Change decision October?, CVS wins $8B Signify Health auction, Walgreens majority buy of CareCentrix, FTC requests more info on Amazon-One Medical (Home care wars and a long-awaited decision)
Perspectives: Creating consistent standards isn’t a once and done job (The safety of digital treatment tools)
On the passing of HM Queen Elizabeth II

Have a job to fill? Seeking a position? See jobs listed with our new job search partner Jooble in the right sidebar!

 


Read Telehealth and Telecare Aware: https://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Legrand/Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine, and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Meta Pixel ad tracker collects another 3 million data breaches at Advocate Aurora Health; Zuckerberg getting Senate scrutiny

The Pixel ad tracker continues to be a Big Problem for Meta and Facebook. Advocate Aurora Health, a large health system in Illinois and Wisconsin, this week informed 3 million patients of a potential data breach connected to the use of Meta Pixel. The Meta Pixel snippets of JavaScript code were used within their Epic MyChart and LiveWell websites and applications, as well as on some of their schedulers.

As we have previously noted (below), ad trackers like the Meta Pixel are used to target website visitors and also to track ads placed on Facebook and Instagram. Developers routinely permit these snippets of code as trackers for better performance and website tracking, but the problem here is that sensitive patient information (PHI) is being sent back to Facebook where it violates patient privacy and can be misused.

Advocate Aurora cited that Meta Pixel may have collected “IP address; dates, times, and/or locations of scheduled appointments; your proximity to an Advocate Aurora Health location; information about your provider; type of appointment or procedure; communications between you and others through MyChart, which may have included your first and last name and your medical record number; information about whether you had insurance; and, if you had a proxy MyChart account, your first name and the first name of your proxy.” It did not collect social security number, financial accounts, credit cards, or debit card information. At this point, there is no reported misuse of information. Bleeping ComputerHealthcareITNews

That this is at all problematic is being vigorously denied by Facebook. But in an unusual move, Senator John Warner (D-VA) sent a letter yesterday to Meta CEO Mark Zuckerberg, containing seven fairly rigorous questions based on The Markup’s articles to be answered by 3 November. This follows on Sen. Jon Ossoff’s request via the Senate Homeland Security Committee (below)  (Editor’s opinion: to be written by Meta’s lawyers, and don’t hold your breath for any rending of garments or mea culpas.) HealthcareITNews, The Markup

Our previous articles on The Markup‘s research and Meta Pixel:

Breaking: Hospitals sending sensitive patient information to Facebook through website ‘Meta Pixel’ ad tracker–study

Facebook Meta Pixel update: Nemours Children’s Health using 25 ad trackers on appointment scheduling site

Let the lawsuits begin: Meta sued by health system patient for Meta Pixel info gathering

Novant Health notification 

Meta facing some Senate scrutiny on Meta Pixel’s health data collection–and how it’s used

Meta facing some Senate scrutiny on Meta Pixel’s health data collection–and how it’s used

A member of the Senate Homeland Security and Governmental Affairs Committee, Sen. Jon Ossoff (D-GA) has requested that Facebook’s parent, Meta, account for healthcare information that it has collected as a result of the Meta Pixel being used on leading hospitals’ websites as an ad tracker. During a hearing, Meta chief product officer Chris Cox was questioned about Meta’s having and using the data and responded, “Not to my knowledge.” According to this latest report in The Markup, Cox will follow up with a written response to the committee.

The June investigation by The Markup and STAT [TTA 17 June] investigated how these snippets of code, routinely used by developers to track website performance, could be sending to Facebook through online appointment schedulers and patient portals highly sensitive patient information. As we noted then from the article, “None of the hospitals using the Pixel have patient consent forms permitting the transmission of individual patient information, nor business associate agreements (BAAs) that permit this data’s collection.” Facebook’s defense is that it does not use this information in any identifiable way.  

Developments have moved quickly since then. According to The Markup, 28 of the 33 hospitals in the initial report have removed the Meta Pixel from their appointment schedulers or blocked it from sending patient information to Facebook. At least six of the seven health systems had also removed the pixels from their patient portals. In August, Novant Health notified patients of a code misconfiguration of their Meta Pixel tracker that may lead to unauthorized disclosure of their personal health information (PHI) [TTA 19 Aug]. North Carolina’s attorney general may investigate. Five class action lawsuits have been filed by patients, including against Novant and Medstar [TTA 23 June].

It may be that Meta may have a very hard time ‘splainin’ to Sen. Ossoff how the data flow and is used for any given account, based upon their own internal engineers’ assessments in a leaked 2021 privacy memo. But given Meta’s and the founder’s pull in the Federal government, one wonders how far all of this will go. Your Editor is not optimistic. TTA’s articles on Meta Pixel

Week-end news roundup: +Oscar data tech platform pauses, BD buys MedKeeper pharmatech for $93M, Novant’s Meta misconfiguration reveals PHI, Mt Sinai’s Sema4 genomics spinoff releases 250 + founder

+Oscar, Oscar Health’s foray into selling value-based health plan management services within a full-stack platform, has taken a minus. They are no longer pursuing relationships until they straighten out the ones they have, which are proving problematic. Their last implementation at Florida-based insurer Health First Health Plans (not to be confused with NY’s HealthFirst) proved to have some problems that prevented them from going live early this year, which were not itemized but were serious enough for Oscar Health to stop acquiring accounts until said difficulties are sorted out.  +Oscar’s platform is designed to deliver medical cost management to payers and value-based care by closing care gaps, improving quality scores, enhancing value, and communicating effectively with patients through its Campaign Builder and Next Best Actions engines (release). How many contracts +Oscar has implemented was not disclosed, although since startup in April 2021, they were claiming a pace of 1-2 annually. Oscar Health has experienced a few bumps since its March 2021 IPO that raised $1.4 billion, what with share prices cruising in the mid-single digits and shareholder class action lawsuits [TTA 19 May]. Healthcare Dive, Q2 results

Medical device giant BD gets into pharmatech with MedKeeper buy for an eye-popping $93 million. The purchase was made from pharmaceutical manufacturer Grifols, SA, a Spanish multinational pharmaceutical and chemical manufacturer, as part of their plan to exit non-core businesses. MedKeeper is a photo-based automation system for in-hospital workflows and systems for pharmacy communications, compliance, and productivity.  BD also owns two pharmacy-related companies in their Medication Management Solutions portfolio, Parata for automating vial filling, packaging, and central fill, and Pyxis automated medication dispensers. Count BD as another company that acquires technology from, as this Editor put it earlier, “healthy health tech companies at the right (discounted) price that fill in their tech gaps.” MedTechDive, BD release

North Carolina provider Novant Health has notified patients of a code misconfiguration of their Meta Pixel tracker that may lead to unauthorized disclosure of their personal health information (PHI). The number of patients is not disclosed. In June, The Markup and STAT jointly published a several-part exposé of the Meta Pixel tracker being loaded into patient portals and the online appointment scheduler, capturing sensitive patient information and sending it to Facebook [TTA 17 June]. The letter explains the event as a campaign to connect more patients to their MyChart portal. The pixel was removed in June (after the article published). Novant determined that PHI could have been disclosed, although they have not uncovered any improper use to date. HealthITSecurity, Novant release

Layoffs and restructurings continue this summer with the latest being Sema4, a population health/analytics/ML/AI-assisted disease model spinoff of Mount Sinai. In what the company (Nasdaq: SMFR) has termed “a series of corporate realignments”, the company is discharging 250 staff, about 13%, plus shedding its founder from both the president and director slots effective immediately. Leading the company will be a transformation management office that includes the CEO and the new chief technology & product officer. On their Q2 earnings call, coupled with the first half, Sema4 disclosed layoffs from first half to total 30% of “legacy” staff to reduce to 1,600 employees. With shuttering some of their lab business and moving of operations, they expect to achieve cost savings of $50 million in 2022 and $250 million by end of 2023, to refocus on what they term their ‘health insights business’. Net loss in the second quarter of 2022 was $85.7 million, up over $40 million in Q2 2021. Yahoo Finance, Becker’s.

Let the lawsuits begin: Meta sued by health system patient for Meta Pixel info gathering

That was fast. Class action game on! Today’s reports of a class action lawsuit being filed against Meta Friday in the US District Court for the Northern District of California in San Francisco is going to be only the first. The ‘John Doe’ plaintiff, a patient of Baltimore-based Medstar Health System and a Facebook user, claims that he is filing on behalf of “millions of other Americans whose medical privacy has been violated by Facebook’s Pixel tracking tool.” Four law firms are involved in the lawsuit. It follows on last week’s investigative report by The Markup and STAT on the Meta Pixel tracker being used by 33 of the top 100 hospital systems [TTA 17 June].

The study indicates that the information gathered in the appointment booking form included IP address, doctor’s name, patient name, email address, phone number, zip code, and city of residence. When it’s put together with outside information, it can be considered a HIPAA violation.

The lawsuit alleges that the information was collected without consent. Neither Meta nor Facebook have a Business Associate Agreement (BAA) agreement in place covering them for gathering this information in any one of the 664 health systems using the Meta Pixel cited in the suit.

The suit requests compensatory and punitive damages for breach of contract, constitutional invasion of privacy, violation of the Electronic Communications Privacy Act, violation of the California Invasion of Privacy Act, and other allegations. The filing was captured by ReclaimTheNet.org. If you look at page 18, there are multiple statements from Meta/Facebook stating that advertising based on health is ‘inappropriate’, but then illustrates how Facebook goes ahead and does it anyway (!)

A small wrinkle: In a statement to HIPAA Journal, Medstar Health Systems claimed it does not use the Meta Pixel or any Facebook code on its website. It creates an issue of the plaintiff’s standing and harm.

FierceHealthcare, Becker’s, HealthITSecurity

Facebook Meta Pixel update: Nemours Children’s Health using 25 ad trackers on appointment scheduling site

The Meta Pixel tracker study gets a little worse–this time, it’s information on appointments for children. The Markup’s investigation on healthcare use of ad trackers continues with an examination of Nemours Children’s Health, a Delaware-based multi-state health network with 97 locations in Delaware, Pennsylvania, New Jersey, and Florida that serve about 500,000 families. Once again, Meta Pixel and other ad trackers were found to capture personal information and patient/family details entered by an adult on the appointment scheduling site to Facebook that may constitute protected health information.

Meta Pixel was recorded as tracking:

  • IP addresses
  • Scheduled doctor and his or her specialty
  • In some cases, the first and last name of the child being scheduled

It is not this information alone, but in combination with other information that Facebook possesses, that can profile any user’s health conditions, link specific conditions to individuals and parents, and thus constitute a privacy violation. IP addresses are one of the factors that HIPAA cites as when linked to other information, create a violation.

The Markup used a tool called Blacklight to scan Nemours’ websites.

What was Nemours thinking in building their website? In addition to Meta Pixel, the scheduling site is riddled with 25 ad trackers and 38 third-party cookies. These are coded in by Facebook, Amazon, Google, and The Latest Healthcare Transformer, Oracle. Oracle claims it has healthcare data on 80% of US internet users, and one can assume this is how they get it. Ad platforms MediaMath and LiveRamp also captured data. The Markup’s team could detect the trackers, but not determine what information these ad trackers were capturing. 

In addition to the trackers on the scheduling site, Blacklight picked up a session recorder from Mouseflow. This is code that can potentially track what people click on a page. Mouseflow states on its Legal Hub that in order to transmit HIPAA-protected information to a third party, a business associate agreement (BAA) must be in place. Mouseflow did not confirm a BAA agreement to The Markup, but in a statement to them insisted that Mouseflow does not permit the transmission of PII or PHI and masks that information.

Not all health data transmitted constitute HIPAA violations, but capture of appointment scheduling information is right on the line of HIPAA violations, though not 100% conclusive.

Elsewhere on the Nemours website, there were nine ad trackers and ten third-party cookies. 

Even after they were notified by The Markup, Nemours persisted in using Meta Pixel. While many of the trackers on the scheduling site were removed, trackers from Facebook, Google, and Salesforce remained. Facebook’s Meta Pixel was removed after last week’s story.

This is certainly another gap between the suits in the suites and the IT/developers rowing in the galley.

Breaking: Hospitals sending sensitive patient information to Facebook through website ‘Meta Pixel’ ad tracker–study

Meta Pixel tracker sending appointment scheduling, patient portal information to Facebook–likely to become the Hot Story of next week. A study published jointly by The Markup and STAT examined the patient-facing areas of Newsweek’s 100 leading hospitals’ websites. It found that 33 of them permit the Meta Pixel ad tracker to send sensitive patient information back to Facebook. Ostensibly the reason is to better serve the patient with more tailored information, but what is not disclosed is what else Facebook is doing with the information. At a minimum, the information is the IP address–which HIPAA considers one of 18 identifiers that when linked to other personal information, can constitute data as protected health information.

Ad trackers like the Meta Pixel are used to target website visitors and also to track ads placed on Facebook and Instagram. Developers routinely permit these snippets of code as trackers for better performance and website tracking.

  • For 33 hospitals, the Pixel tracker is picking up and sending back to Facebook information from users of the hospital’s online appointment scheduler: the user’s IP, the text of the button, the doctor’s name, and the search term. In testing the sites using a team approach facilitated by a plug-in called Mozilla Rally, the testers found that in several cases, even more identifiable patient information was being sent: first name, last name, email address, phone number, zip code, and city of residence entered into the booking form.
  • Seven hospitals have the Pixel deep into another highly sensitive area–the password-protected patient portal. These go by various names, but a popular one is Epic’s MyChart. One surveyor found that for Piedmont Healthcare, the Pixel picked up the patient’s name, the name of their doctor, and the time of their upcoming appointment. For Novant Health, the information was even more detailed: name and dosage of medication in our health record, notes entered about the prescription about allergic reactions, and the button clicked in response to a question about sexual orientation. (Novant has since removed the Pixel.)

None of the hospitals using the Pixel have patient consent forms permitting the transmission of individual patient information, nor business associate agreements (BAAs) that permit this data’s collection.

The reaction of most of these hospitals was interesting. Some immediately removed it without comment. Others maintained that no protected information was sent using Pixel or otherwise defended its use. Houston Methodist was almost alone in providing a detailed response on how they used it, but subsequently removed it.

Facebook maintains that it does not use this information in any identifiable way and that from 2020 it has in place a sensitive health data filtering system and other safeguards. The New York Department of Financial Services, in a separate action monitoring Facebook in this area, questioned the accuracy of the filtering system. Even when the information is ‘encrypted’, it’s easy to break. Internal leaked Facebook documents indicate that engineers on the ad and business product team admitted as late as 2021 that they don’t have “an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.” (quoted from Vice)

The study could not determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways, but the collection alone can be in violation of US regulations. 

On the face of it, it violates patient privacy. But is it a HIPAA violation of protected health information? No expert quoted was willing to say that was 100% true, but a University of Michigan law professor who studies big data and health care said that “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view. Some of the hospitals in their comments say that they vetted it. One wonders at this tradeoff.

To this Editor, Meta Pixel’s use in this way walks right up to the line and puts a few toes over.

If this is true of 33 major hospitals, what about the rest of them–smaller and less important than Columbia Presbyterian, Duke, Novant, and UCLA? What all of us have suspected is quite true–social media is collecting data on us and invading our privacy at every turn, and except for exposés like this, 99% of people neither know nor care that their private information is being used.

The Markup is continuing their “Pixel Hunt” series with childrens’ hospitals. A previous article is about Pixels tracking information from crisis pregnancy centers, about as sensitive as you can get. Also HISTalk.