If you use Facebook to share your personal health information (PHI) with other users — even within closed Facebook groups — your PHI isn’t safe. Facebook shares that data with advertisers.
Consumers filed a letter with the Federal Trade Commission (FTC) in December complaining that Facebook advertises closed groups on the social media platform as “private,” even though Facebook shares any information posted in closed groups with advertisers. Thus, the consumers argue, Facebook not only deceives users but also violates the FTC’s 2012 consent order.
Many Facebook users form closed groups to discuss health problems they have in common, ranging from mental illnesses to addictions to eating disorders to cancer. The purpose of these groups is to provide a “safe space” for sufferers to commiserate and help each other access important resources, like quality doctors, coping mechanisms, etc.
As the letter points out, Facebook promotes these groups and even defines them as “Support Groups,” specifically for the purpose of helping users dealing with certain medical conditions or lifestyle struggles.
Because users share PHI in this groups, Facebook legally qualifies as a personal health record (PHR) and must disclose data breaches that include PHI leaks, which Facebook does not do.
So not only does Facebook share their sensitive PHI with advertisers, the consumers alleged in the letter, but Facebook also doesn’t notify them in the event of data breaches that might affect their PHI.
Furthermore, Facebook’s description of the Affected by Addiction Community Facebook Group reads, “This is a private group, so nothing you post will be seen by anyone outside of this group,” even though, the letter points out, Facebook contradicts this in its data policy: “You should consider who you choose to share with, because people who can see your activity on our Products can choose to share it with others on and off our Products, including people and businesses outside the audience you shared with.”
And that’s just the tip of the iceberg. The letter also describes how Facebook “selectively enforces its real-name policy.” Most of the time, Facebook requires users to always use their real names and not pseudonyms, but Facebook does not consistently enforce this policy, resulting in fake accounts joining support groups or launching support groups in order to harvest personal, private information from vulnerable users.
Almost a year ago, The Verge ran a story describing how members of addiction support groups often received fraudulent Facebook messages promoting different treatments that were “not legitimate,” which supports the letter’s argument that Facebook shares PHI with advertisers and other third-parties and does not enforce the privacy standards it claims to uphold.
“Facebook deceptively lures vulnerable users into joining unsafe clinical Support Groups,” consumers complained in the letter. “Facebook offers the illusion of control but ignores and obscures privacy decisions.”
HIPAA Journal, a publication that explains HIPAA issues, noted in a December 2017 post that Facebook users should never share PHI on Facebook, not even via Facebook Messenger, as Facebook is not HIPAA-compliant and thus is not obligated to protect PHI under HIPPA. (In order to become HIPAA-compliant, Facebook would need to sign a Business Associate Agreement.)
In a March 2018 post, the journal advised against sharing PHI on any social media platform and warned doctors against sharing any kind of patient-related information on social media platforms.
But because Facebook meets the legal definition of a PHR, by not notifying users of data breaches, it may violate the FTC Health Breach Notification rule, as well as engage in “unfair and deceptive” practices by advertising its support groups as “private” and “safe” when they are not.
Representatives Frank Pallone (D-N.J.) and Jay Schakowsky (D-Ill.) sent a letter to Facebook on Monday demanding an explanation. They called for a staff briefing “no later than March 1” on the issues raised in the consumer complaint.
“This consumer complaint raises a number of concerns about Facebook’s privacy policies and practices,” the representatives wrote. “Facebook’s systems lack transparency as to how they are able to gather personal information and synthesize that information into suggestions of relevant medical condition support groups. Labeling these groups as closed or anonymous potentially misled Facebook users into joining these groups and revealing more personal information than they otherwise would have. And Facebook may have failed to properly notify group members that their personal health information may have been accessed by health insurance companies and online bullies, among others.”