NHS could take action against trusts for Facebook breach – spokesman

  • 31 May 2023
NHS could take action against trusts for Facebook breach – spokesman

NHS England is investigating the reported transfer of private details of patient information from 20 NHS trusts to Facebook without consent, and could “take further action” against those involved, an NHS spokesperson told Digital Health in an e-mail statement.

The Observer reported on Sunday that its own investigation had revealed a covert tracking tool, Meta Pixel, in the websites of the trusts that had collected browsing information and shared it with Facebook.

The tool can track pages viewed and keywords searched. The data – which included information about patients’ medical conditions, appointments and treatments – was matched to the user’s IP address, enabling it to be linked to individuals in a significant breach.

The report noted that information transferred to the tech company is likely to “include special category health data which has extra protection in law”. Using or sharing such information without consent is illegal.

The NHS spokesman told Digital Health: “NHS trusts are responsible for their own websites, and they must follow data protection laws in relation to the use of cookies on their websites. The NHS is looking into this issue and will take further action if necessary.”

The 20 trusts affected, according to The Observer, are:

  • Alder Hey Children’s
  • Barking, Havering and Redbridge University Hospitals
  • Barts Health
  • Buckinghamshire Healthcare
  • Central and Northwest London
  • Croydon Health Services
  • Devon Partnership
  • Hertfordshire Partnership University
  • Mid Yorkshire Hospitals
  • Midlands Partnership
  • North Bristol
  • Northampton General Hospital
  • Pennine Care
  • Royal United Hospitals Bath
  • Shrewsbury and Telford Hospital
  • Surrey and Borders Partnership
  • Tavistock and Portman
  • The Christie
  • The Royal Marsden
  • University Hospitals of North Midlands

Seventeen of the 20 trusts confirmed that they have now pulled the tracking tool from their websites, The Observer said.

There have been previous instances of Facebook gaining access to personal health information. In 2019, period-tracking apps were caught sharing medical data with the company. Yet, the scale of the potential data breach covered in this most recent report is likely to renew calls for greater oversight of NHS data security.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

NHSE quizzed on the link between single patient record and FDP

NHSE quizzed on the link between single patient record and FDP

Suppliers have quizzed NHS England about the relationship between the proposed single patient record and the federated data platform (FDP).
NHS suppliers urged to sign cyber security best practice charter

NHS suppliers urged to sign cyber security best practice charter

Suppliers to the NHS have been urged by NHSE and the DHSC in an open letter to sign a charter of cyber security best practice.
Most of public think that NHS ‘single patient record’ already exists

Most of public think that NHS ‘single patient record’ already exists

Most of the public think that a single patient record (SPR) already exists, according to research by Understanding Patient Data.

1 Comments

  • I believe Google also received PRIVATE & sensitive medical details that we shared with health professionals we are supposed to TRUST. The YouTube videos received into my feeds were absolutely NOT coincidences but clearly based on what’s written in my medical records. Trust may be beyond repair; this is utterly damaging.

Comments are closed.