An investigation by The Observer has revealed that 20 NHS trusts in the UK have been secretly sharing private patient data, including medical conditions and treatments, with Facebook without obtaining consent.
The data collection was facilitated by a covert tracking tool called Meta Pixel embedded in the websites of these NHS trusts. The tool has been sending browsing information, including granular details of pages viewed, buttons clicked, and keywords searched, to Facebook. The data, linked to users’ IP addresses and in some cases their Facebook accounts, can be used by Meta (formerly Facebook) for targeted advertising. The shared information includes personal medical details and affects millions of patients.
The Observer investigation exposed specific instances of data sharing, such as Buckinghamshire Healthcare NHS Trust sharing information about users viewing a patient handbook for HIV medication, Alder Hey Children’s Trust sharing data from webpages related to sexual development problems and mental health services, and the Tavistock and Portman NHS Foundation Trust sharing data from pages related to gender identity services and specialist help with sexual behaviors.
Only three of the 20 trusts mentioned Facebook or Meta in their privacy policies, and several trusts had previously promised patients that their information would not be shared or used for marketing purposes. Privacy experts have raised concerns about the breach of patient confidentiality and the potential violation of data protection laws.
They argue that the transfer of data to third-party commercial entities risks damaging the trust between patients and the NHS. The Information Commissioner’s Office (ICO) is investigating the matter, and US regulators have also issued warnings about the use of tracking tools in healthcare settings.
Meta is facing legal action in the US for allegedly knowingly receiving sensitive health information and not taking steps to prevent it.
Following the investigation, 17 out of the 20 NHS trusts using the tracking tool have confirmed that they are removing it from their websites, and some have issued apologies to affected patients. However, the revelations have sparked calls for a comprehensive investigation into the extent of the data breach and the protection of patient information within the NHS.
