Recent privacy news from around the web ...
Geoffrey A. Fowler on the Washington Post (washingtonpost.com)
Software that thousands of clinics and hospitals across the United States use to check people into appointment harvests the information people provide and uses it to target ads. How can they do that? Phreesia, the software company, includes a paragraph authorizing this in the consent form people sign when they're checking in – and most people don't bother to read it, so consent to sharing. It's a classic example of the way a "notice and consent" approach allows companies to expoit us as long as we don't say no.
THE DEVIL IS IN THE DETAILS: ADPPA Section 204 (A) (page 33) requires "affirmative express consent" to transfer sensitive data. Does Phreesia's consent form language meet the requirements for "affirmative express consent" in Section 2 (1) (page 2)?
“I hereby authorize my health care provider to release to Phreesia’s check-in system my health information entered during the automated check-in process … to help determine the health-related materials I will receive as part of my use of Phreesia. The health-related materials may include information and advertisements related to treatments and therapies specific to my health status.”
Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu on The Markup
Thursday, The Markup's investigation revealed that 33 of the top 100 hospitals in the US have a "Meta Pixel" on their websites which sends information about people's medical conditions, prescriptions, and doctor’s appointments to Facebook (aka Meta). Friday, Bloomberg's Evan Peng reported a class-action suit in California seeks compensatory and punitive damages for "breach of contract, violation of the federal Electronic Communications Privacy Act and a constitutional claim for invasion of privacy, among other allegations." The hospitals involved may have violated HIPAA. Nadia Bey's What is Meta Pixel, the code detected on health system websites in NC and beyond?, in the Charlotte Observer, has some local perspectives – and sets it in the context of The Markup's reporting back in April that information from people who applied for federal student aid had also been sent to Facebook.
GET INVOLVED: The Markup's reporting is part of the Facebook Pixel Hunt, a collaboration between Markup journalists and Mozilla resarchers. If you run Firefox, here's how you can help!
- This Children’s Hospital Network Was Giving Kids’ Information to Facebook, by Alfred Ng and Simon Fondrie-Teitler on The Markup, is another example of a "Meta Pixel" violating HIPAA.
- Hospitals that sent patient data to Facebook should be investigated, state reps say, by Teddy Rosenbluth in the News & Observer, reports that North Carolina State Representatives Brian Farkas and Donny Lambeth have asked the attorney general to investigate whether hospitals violated consumer protection or privacy laws, and to recommend legal changes that would protect patients from privacy breaches in the future – and the AG confirms that he's investigating
Diane Bartz on Reuters
Last week, the Center for Countering Digital Hate released a study finding that many Google search results for abortion clinics instead returned links to so-called "pregnancy crisis centers" – fake abortion clinics that instead attempt to convince people not to get abortions. Now, 20 Democratic members of Congress have sent a letter to Google telling them to ensure that searches return accurate information.
If you're wondering why this is a privacy story, check out Grace Oldham and Dhruv Mehrotra Facebook and Anti-Abortion Clinics Are Collecting Highly Sensitive Info on Would-Be Patients on Reveal, a joint investigation with The Markup. These sites are using Meta Pixel to get data about whether a person was considering abortion or looking to get a pregnancy test or emergency contraceptives with the fake pregnancy crisis centers Google sends them to.
See also: Lawmakers urge Google to fix abortion searches suggesting ‘fake clinics’, Kim Bellware, Washington Post, with more details and a list of the legislators.
TAKE ACTION: Tell Google to stop profiting from anti-abortion disinformation using Center for Countering Digital Hate's form.
Privacy Law in South Korea Whiteboard, a one-page summary of outh Korea’s Privacy Law, the Personal Information Protection Act, by Prof. Daniel Solove on teachprivacy.com
S.T.O.P. x RadTech: Reproductive Freedom Under Surveillance - Wednesday at 3:00 pm Pacific (6:00 Eastern), featuring Hayley Tsukayama of Electronic Frontier Foundation, focusing on state legislation and Prof. Jolynn Dellinger of Duke Law's Kenan Institute for Ethics, moderated by S.T.O.P's Alfred Fox-Cahn.