Facebook Aimed To Match Patient Data To User Profiles Without Consent

According to a CNBC report, Facebook sent a doctor on a secret mission to ask hospitals to share patient data with them. The company’s aim was to match patient records to Facebook profiles, a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Facebook’s Spy Doctor

The report said that Facebook has asked major hospitals and health organizations such as Stanford Medical School and American College of Cardiology to share “anonymized” data about their patients for a “research project.”

The proposal never went beyond the planning phase and it was put on pause once the Cambridge Analytica scandal revealed other privacy issues the Facebook platform had.

The effort to share patient data was led by interventional cardiologist called Freddy Abnousi, who describes his role on LinkedIn as "leading top-secret projects." The project was supervised by Regina Dugan, the head of Facebook's "Building 8" experiment projects group, before she left in October 2017.

Deanonymizing “Anonymized Data”

We already know from previous studies that the so-called anonymized data that advertising and data-tracking companies like to promote as a way to encourage people to give up their data, isn’t actually that anonymous. In fact, in many of these studies over 90% of the people can be easily identified from the anonymized data.

It seems Facebook already knew this, because according to the CNBC report, the company was already planning on matching the patient data with its own user profiles.

To comply with the federal and state medical privacy laws, Facebook planned to use cryptographic hashes to match the medical data set with the Facebook user base, while blurring the names of the patients in the medical data set.

However, the final result of this solution still seems to lead to deanonymization, if at the end of the whole process, the company can still match single users to certain medical data about them. At that point, the data is no longer anonymous, even if it may have been in the early stages of the process.

It seems Facebook has gotten into the habit of using its users data in whole new ways without asking for consent, and only apologize later, when discovered. The company had previously done some psychological experiments on its users, for which it later apologized.

Aneesh Chopra, president of CareJourney, a health software company specializing in patient data, seems to agree that Facebook is not approaching this issue the right way:

Consumers wouldn't have assumed their data would be used in this way. If Facebook moves ahead (with its plans), I would be wary of efforts that repurpose user data without explicit consent.

The new EU GDPR rules already require explicit consent for data collection in most cases, and Facebook has already promised to enable the same privacy controls for every user. It now remains to be seen if Facebook has actually learned anything from the Cambridge Analytica scandal, and whether or not the company will be more careful about not using its users' data for things its users didn't give their consent. 

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • gdmaclew
    "Aneesh Chopra, president of CareJourney, a health software company specializing in patient data, seems to agree that Facebook is not approaching this issue the right way:"

    The Right Way?
    I would use much much stronger language than that. From all the previous "problems" that Facebook has had I knew sooner or later they would go too far.
    Something always rubbed me the wrong way about Zuckerberg. I'm not saying he was (or is) malicious but rather naive and/or sloppy or just downright irresponsible.
    This should be very interesting to follow.
  • sykozis
    If the data can be matched to a user profile, HIPAA has been clearly violated....
  • humorific
    Clearly, Facebook does not possess commonsense or the culture to understand what they are doing is wrong. I propose that as part of the profile, users should be able to see then name, date, and their statistics given of every company that has been given their information, anonymized or not.
  • 10tacle
    Facebook continues to become more and more emboldened. We have two options left: 1) stop using it or 2) get public opinion drummed up for governments to take action against them. Zuckerberg's company is an out of control runaway train at this point. Their power has made them corrupt. There is no competition against Facebook so what do they have to worry about?

    I understand that Facebook is the new means of communication between friends and family because it's convenient and has made email essentially obsolete, but they are clearly crossing civil rights boundaries now.

    "Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men." - Bishop Mandell Creighton, 1887
  • randomizer
    This is already done with less important data in basically the same way, but in those cases a person could have reasonably expected their data to be shared. Trying it with patient data is a brazen move though.
  • USAFRet
    Are you sufficiently pissed off yet?
  • hannibal
    This is Late apprils fools day news... Right? This has to be or someone has gone out of his mind completely!
    Patient information is one of the most prohibed information that you can have or accuire by the law in most civiliced countries...
  • plateLunch
    I keep wondering why the press hasn't taken Zuckerberg apart for the difference in the way he protects his own privacy vs. the way he treats his users' privacy.

    Zuck bought a house in Palo Alto, and then proceeded to buy every home surrounding his so he could have his own privacy! He was on the verge of kicking the families in the surrounding homes out but the last I heard that was delayed. And he did a similar thing on the island of Kauai in Hawaii. Instead this time he bought acres of land surrounding his home and proceeded to build a stone wall around the entire holding. This pissed off the native Hawaiians who were denied access to lands they had farmed for decades.
  • 10tacle
    ^^History has shown that dictators of countries do the same thing. It's just disgusting. I don't know how he can live with himself but I guess all that money and power has blinded him. The man clearly has no human conscience.
  • Co BIY
    This situation is so clueless that I suspect they want government intervention. Nothing like some rumors of medical privacy being violated to get real action.

    My conspiratorial mind suspects that Facebook and Google may want heavy government regulation at this point. It would essentially freeze the status quo because only they could afford to comply with the onerous rules while sitting on their huge stash of valuable data and large market share. New entrants could never get started in the smothering regs and never dethrone them.

    They may not be able to get bigger than they are now so it's time to lock in the win.

    "Please, Please don't make me a regulated utility with guaranteed profit margins and no competition allowed."