NHS sent Facebook private patient information

20 trusts found using a tracking tool that shared information with Meta

NHS sent Facebook private patient information

As many as 20 NHS trusts have shared patients' private medical information with Facebook through a hidden tracking tool on their websites, an investigation by The Observer has revealed.

Data was collected from individuals who accessed NHS webpages related to various topics such as HIV, gender identity services, self-harm, sexual health, children's treatment, cancer and more.

The websites of 20 NHS trusts were found to be utilising the Meta Pixel tracking tool, which gathered browsing information and shared it with the tech giant.

That is despite the trusts promising not to collect that information, and without obtaining proper consent from the individuals involved.

The collected data showed which pages people had visited, the buttons they clicked and the keywords they searched for.

Th data was matched to the user's IP address and often linked to their Facebook account details.

When matched to an individual patient, this information could potentially expose personal details such as medical conditions, doctor appointments and treatments received.

Facebook could potentially have used it for business-related objectives, including targeted advertising.

Following the public disclosure of this breach, 17 out of the 20 NHS trusts that employed the Meta Pixel tool said they had ceased using it, and apologised for doing so.

Several of the trusts explained they had initially implemented the tracking pixel to monitor recruitment or charity campaigns, and were unaware that patient data was being sent to Facebook.

Buckinghamshire Healthcare NHS Trust (BHNHST), one of the bodies that has now removed the tracking tool, said the presence of Meta Pixel on its website was an unintended error.

BHNHST apparently shared information with Facebook when a user accessed a patient handbook about HIV medication. This included the name of the drug, the trust's name, the user's IP address and details of their Facebook user ID.

The trust's privacy policy explicitly states that confidential personal health information would never be utilised for marketing purposes without explicit consent.

Alder Hey Children's Trust in Liverpool also shared information with Facebook when users accessed webpages related to sexual development issues, crisis mental health services and eating disorders.

The Information Commissioner's Office (ICO) is investigating the matter, indicating ongoing concerns regarding privacy.

Privacy experts have also voiced their concerns.

Sam Smith, representing data privacy campaign group medConfidential, told The Guardian that it was never appropriate to employ such tools for the purpose of collecting health data.

"There's no benefit to NHS trusts in giving this information away. It's like asking a tobacco company to sponsor a cancer ward," he said.

"NHS England is tacitly approving this by not enforcing anything better."

Earlier this month, Meta was issued a fine of €1.2 billion and instructed to cease the transfer of user data from European users to its servers in the United States.

In 2021, The Independent claimed in a report that the NHS had been involved in incidents where private data was shared with unauthorised individuals, resulting in breaches that impacted thousands of patients annually.

The ICO's data showed 3,557 breaches of personal data were reported across the British health sector from 1st April 2019 - 31st March 2021, with the majority recorded in the NHS.

In some cases, the NHS was ordered to pay thousands of pounds in compensation because of the errors.