NHS England is investigating the reported transfer of private details of patient information from 20 NHS trusts to Facebook without consent, and could “take further action” against those involved, an NHS spokesperson told Digital Health in an e-mail statement.

The Observer reported on Sunday that its own investigation had revealed a covert tracking tool, Meta Pixel, in the websites of the trusts that had collected browsing information and shared it with Facebook.

The tool can track pages viewed and keywords searched. The data – which included information about patients’ medical conditions, appointments and treatments – was matched to the user’s IP address, enabling it to be linked to individuals in a significant breach.

The report noted that information transferred to the tech company is likely to “include special category health data which has extra protection in law”. Using or sharing such information without consent is illegal.

The NHS spokesman told Digital Health: “NHS trusts are responsible for their own websites, and they must follow data protection laws in relation to the use of cookies on their websites. The NHS is looking into this issue and will take further action if necessary.”

The 20 trusts affected, according to The Observer, are:

  • Alder Hey Children’s
  • Barking, Havering and Redbridge University Hospitals
  • Barts Health
  • Buckinghamshire Healthcare
  • Central and Northwest London
  • Croydon Health Services
  • Devon Partnership
  • Hertfordshire Partnership University
  • Mid Yorkshire Hospitals
  • Midlands Partnership
  • North Bristol
  • Northampton General Hospital
  • Pennine Care
  • Royal United Hospitals Bath
  • Shrewsbury and Telford Hospital
  • Surrey and Borders Partnership
  • Tavistock and Portman
  • The Christie
  • The Royal Marsden
  • University Hospitals of North Midlands

Seventeen of the 20 trusts confirmed that they have now pulled the tracking tool from their websites, The Observer said.

There have been previous instances of Facebook gaining access to personal health information. In 2019, period-tracking apps were caught sharing medical data with the company. Yet, the scale of the potential data breach covered in this most recent report is likely to renew calls for greater oversight of NHS data security.