Sensitive Health Information Shared in Facebook Closed Groups Allegedly Exposed

A complaint has been submitted to the FTC alleging Facebook as engaged in deceptive practices and has violated users’ privacy as well as FTC rules. The complaint states that medical data shared in closed, purportedly anonymous Facebook groups has been shared with advertisers and was not kept private and confidential.

The House Committee on Energy & Commerce has responded to the complaint and has written to Facebook CEO Mark Zuckerberg demanding answers about the alleged Facebook PHR (Groups) system privacy breaches.

The complaint was submitted to the FTC in December by security researcher Fred Trotter and anonymous Facebook health group members. The complaint letter claims that the private data of members of closed Facebook groups has been exposed, and in some cases compromised. As a result of the privacy breaches, health group members are at risk of discrimination.

Individuals with health and mental health problems utilize closed Facebook groups for support. Facebook groups are billed as offering a secure environment where members can speak about their conditions and disclose health information without being identified. Highly sensitive information is often shared because group members think Facebook groups are private. Facebook even actively promotes Groups in this way and suggests they can be used for disclosing health information.

In many cases, group members have posted details about their sexual histories, positive HIV diagnoses, specifics of previous sexual abuse, substance abuse conditions, and a number of health and mental health disorders.

The groups are designed to be private and anonymous and are typically advertised as such. The Affected by Addiction Community Facebook Group is one example. Members of the group are advised that information disclosed in the group is only viewable by members of the group than that conversations are private. The group has been actively promoted by Facebook, even though the statement made about the privacy of the group is inaccurate and is contrary to Facebook’s data policy.

The data policy of Facebook suggests that details disclosed using its platform could be shared with other individuals in and out of its platform. Any claims that private Facebook groups are anonymous is a misrepresentation. Details discussed in these groups, such as PHI disclosures, are made available to advertisers. There have been numerous instances of users of these groups being displayed ads relating to their conditions, which have only ever been discussed online in closed Facebook groups.

Facebook is not covered by HIPAA Rules, thus the sharing of any PHI with advertisers is not tantamount to a HIPAA violation. Nonetheless, Facebook must comply with FTC regulations.

Aside from sharing details with advertisers, the complaint challenges the security of Facebook Groups. One user of a closed health group said she was able to download a record of all group members by using the grouply.io Chrome web browser extension. Trotter, whom the member notified about the lack of privacy, was also able to access the real names of 10,000+ members of a private group, their email addresses, the members’ home city, and even details of member’s employers. In this instance, the group was set up for patients with a BRCA cancer mutation.

Trotter stated in the complaint that considering Facebook is advertising the groups for sharing health details, the groups should be treated as personal health records and as such, would be regulated by the FTC. Among the requirements for a personal health record is the need to issue breach notifications in the event of a security breach. Trotter alerted Facebook to the download of group members names and personal information, yet no notifications were issued.

Trotter notes in the complaint that the sharing of personal health information is against the law. In certain cases when sensitive information is made public – HIV diagnoses being a good example – the privacy violations could result in serious injury or death. “Facebook has ignored our requests to fix the specific issues we have identified to the company and denies publicly that any problem exists. All of this represents unfair, deceptive and misleading interactions between Facebook and its users in violation of the FTC Act,” wrote Trotter.

The Energy and Commerce Committee has demanded a response from Facebook by March 1, 2019.