NHS data breach: trusts shared patient details with Facebook without consent

theguardian.com:

NHS trusts are sharing intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent and despite promising never to do so.

An Observer investigation has uncovered a covert tracking tool in the websites of 20 NHS trusts which has for years collected browsing information and shared it with the tech giant in a major breach of privacy.

The data includes granular details of pages viewed, buttons clicked and keywords searched. It is matched to the user’s IP address – an identifier linked to an individual or household – and in many cases details of their Facebook account.

Information extracted by Meta Pixel can be used by Facebook’s parent company, Meta, for its own business purposes – including improving its targeted advertising services.

Records of information sent to the firm by NHS websites reveal it includes data which – when linked to an individual – could reveal personal medical details.

It was collected from patients who visited hundreds of NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and more.

It also includes details of when web users clicked buttons to book an appointment, order a repeat prescription, request a referral or to complete an online counselling course. Millions of patients are potentially affected.

This weekend, 17 of the 20 NHS trusts that were using Meta Pixel confirmed they had pulled the tracking tool from their websites.

Eight issued apologies to patients. Multiple trusts said they had originally installed the tracking pixels to monitor recruitment or charity campaigns and were not aware that they were sending patient data to Facebook. The Information Commissioner’s Office (ICO) is investigating.

The