Facebook Getting Personal Health Information from Consumer Health Apps--This Might Be How They Did It

Recently it was revealed in The Wall Street Journal (credit: Sam Schechner) that Facebook was able to get personal health information (PHI) from health apps on your phone, even if you didn’t have the Facebook app on the phone. It hasn’t been confirmed how Facebook accomplished getting their code in apps, but here’s a clear hypothesis.

These apps are NOT HIPAA-compliant

These apps are NOT HIPAA-compliant

A few years ago when we launched the Care3 mobile app, we did what most app developers do--we went to Facebook to promote the app to get early users. The process is simple enough. Set up an advertiser account and create a campaign that has several calls to action to choose from. You can send people who click a button to a website, or in our case, download an app from the App Store website or Google Play store site. We chose the option to send people to the websites because the phones knew to automatically open up their download apps for people to get the app. Fine.


After not advertising for a few months, we went back to Facebook to replicate the old campaign to get more users. The campaign calls to action had changed. No longer were we able to chose to send people to the app store websites--at least it wasn’t obvious how to do it. Facebook was trying to force us (and all app developers) to add a “pixel” to our app so that we could directly track downloads resulting from Facebook clicks from within their advertiser metrics site. So wait--if we wanted to advertise on Facebook to drive people to download our app, we were required to add Facebook code into our app. This was a MAJOR RED FLAG and I wrote to Facebook about it.


Their response after multiple back and forth emails was that we *could* promote without adding their pixel code, but they didn’t recommend it. Of course we didn’t add their code.  


Privacy is the norm in healthcare and it admittedly can stunt innovation. But consumers should have the power to decide what information is stored and ultimately shared. Facebook may not have done anything technically illegal by asking app developers to add their code to their apps, but what they’ve done with that code crosses an ethical line, in our opinion.


Care3 will NEVER share your personal health information without your permission. Period. And Period again.

HIPAA-compliant text messaging and tracking app for healthcare

HIPAA-compliant text messaging and tracking app for healthcare

BlogDavid Williams