Already facing a raft of privacy lawsuits, it’s been revealed Facebook has been receiving sensitive personal medical information without people’s knowledge or consent.

It comes as the US Congress considers a new nationally-binding privacy law.

The Meta Pixel, installed on US hospital websites, has been collecting details about medical conditions, prescriptions, appointments and personal details, and sending it to Facebook, non-profit technology newsroom The Markup has found.

Its analysis showed 33 of Newsweek’s top 100 hospitals had the tracking tool on their website, although some have since removed it.

In one experiment run by The Markup, a doctor’s name, field of medicine, patient first name, last name, email address, phone number, zip code and city of residence were sent to Facebook via the pixel.

In another example, a description of the text of a schedule appointment button, doctor’s name and search term “pregnancy termination” were relayed to the social media giant.

In the wake of the historic and controversial overturning of Roe vs Wade, there has been heightened concerns about data protection and digital privacy.

It’s put the spotlight on Google, Facebook and other Big Tech to provide commitments to safeguard the personal data, including web searches, emails, text messages and even details stored in apps, related to reproductive services and information.

Tracking Big Tech’s tracking tools

The Facebook investigation is part of The Markup’s Meta Pixel study, conducted with the Mozilla Foundation, to understand the extent of online tracking and personal information sharing.

The Meta Pixel, named after the tiny 1-pixel by 1-pixel images that were hidden on webpages and first used for tracking, is a snippet of code on a website that can record interactions on webpages, buttons and some information entered into forms.

It’s regarded as one of the most common tracking tools, estimated to be on more than 30 per cent of commonly visited websites, according to The Markup, and is used for digital advertising and to collect user metrics on websites.

Personal, sensitive information can be sent to Meta from many different sites, without people being aware or agreeing to it.

And if someone is logged in to Facebook when they interact with a website with an active Meta Pixel, third-party cookies can enable Meta to go even further and connect the collected pixel data with their Facebook account, making identification even easier.

Moves to adopt national privacy laws in US

This latest scandal around data sharing practices comes as a proposal for a new national privacy law moves through US Congress.

It includes a ‘sensitive’ data category that includes health information in addition to biometric, financial and geolocation among other things and would enshrine a data minimisation requirement for organisations to only collect reasonable information and a ‘privacy by design’ mandate.

It would also require federal agencies to support research into data privacy protecting technology, although digital rights group Electronic Frontiers Foundation wants stronger private rights for individuals to sue companies for privacy violations.

The social media giant isn’t subject to a law that restricts hospitals from sharing personally identifiable health information with third-parties, even though Facebook receives such information.

Under pressure from a damaging story in the Wall Street Journal and a New York Department of Financial Services investigation, Facebook in 2021 developed a sensitive health data policy.

It agreed to develop a policy to identify and block certain sensitive user information being sent to the platform, but the report found it wasn’t working with complete accuracy.

The department said problematic data-sharing practices exposed in the article are a continuing risk throughout the data analytics and social media industries.