Health IT

Facebook accused of revealing private health info in latest privacy snafu

"Sharing of privately posted personal health information violates the law, but this serious problem with Facebook’s privacy implementation also presents an ongoing risk of death or serious injury to Facebook users," a recently released FTC complaint reads.

Social media giant Facebook’s string of privacy controversies now includes a newly released FTC complaint against the company for improperly disclosing membership data including private health information from closed – or private – groups on the site.

The complaint, written by security researcher Fred Trotter and healthcare attorney David Harlow, accuses Facebook of using their “Groups” feature to induce patients to share personal health info about their conditions and then making that data available to marketers and the general public through data security loopholes.

“Sharing of privately posted personal health information violates the law, but this serious problem with Facebook’s privacy implementation also presents an ongoing risk of death or serious injury to Facebook users,” the complaint reads.

In the complaint Facebook is positioned as a personal health record vendor because of its status as a platform that contains individual health information from a variety of sources, particularly clinical support group posts.

The complaint authors highlight practices by Facebook they claim are violation of FTC regulation including using AI to induce users to join patient support groups without disclosure about how their data will be used and offering a personal health record and later failing to disclose a leak of identifiable health info from their system.

Facebook is already reported to be negotiations with the FTC for a multi-billion fine for its history of privacy lapses.

This controversy stems from a patient advocate’s discovery that membership lists for closed Facebook Groups (which can include email addresses, city of residences and place of employment) could be easily downloaded using a Google Chrome extension.

In collaboration with Trotter, the complaint authors were able to download a full membership roster for a closed Facebook group dedicated to patients with the BRCA gene mutation, which increases the risk of breast cancer.

After sharing this potential data vulnerability to Facebook, the complaint alleges that the company missed the deadline for disclosing the breach, refused to commit to fixing the problem and did not acknowledge the issue as a privacy or security vulnerability.

Later, the company made it more difficult to download membership lists, but denied that a privacy breach occurred.

Even after Facebook’s action, the privacy researchers said group members were still able to download full membership lists leading to the potential of fake accounts being created to exploit the loophole.

The complaint further details the ways Facebook profits from the clinical and private health information it mines from group membership including selling targeted ads to patients with particular health conditions and how the company released confusing and conflicting information about privacy controls for groups.

“Facebook relies on consumer confusion about its privacy settings as a business asset. It leverages the confusion to generate the kinds of user details that it needs to target ads, and to create the kind of exclusive social connections that make its platform ‘sticky’ to users,” the complaint reads.

“Facebook profits from the confusion that it creates about user privacy and externalizes the harm associated with this confusion to individual users. ”

Picture: David Tran, Getty Images

Shares0
Shares0