Complaint to FTC accuses Facebook of exposing sensitive health data in groups

A complaint filed with the Federal Trade Commission accuses Facebook of misleading its users regarding the private nature of closed Facebook groups and exposing users’ sensitive health data.

The complaint, which was filed last month and made public this week, claims that the company “deceptively solicited patients to use its 'Groups' product to share personal health information about their health issues.”

They claim Facebook then failed to protect the sensitive health information users uploaded and also exposed that information to the public. The complaint argues that Facebook's privacy policies are not clear, and users are not informed about how their data will be used.

By soliciting patients to use the closed groups to share health information, such as to discuss specific health conditions, Facebook is essentially offering a personal health record (PHR), the complaint argues, which means the platform should be regulated by the FTC.

The complaint was filed by health IT and cybersecurity researcher Fred Trotter, healthcare lawyer David Harlow, J.D., and patient advocates who have used closed Facebook groups. They urge the FTC to examine Facebook's "unfair, deceptive and misleading" privacy policies and its failure to notify the FTC of health data breaches, violating the FTC's PHR breach reporting rule. 

RELATED: For physicians, social media can be tricky to navigate

The researchers and patient advocates also argue that Facebook allowed targeting of users’ identifiable health information for its own commercial purposes—specifically allowing advertisers to connect with users with an interest in specific clinical conditions.

“Sharing of privately posted personal health information violates the law, but this serious problem with Facebook’s privacy implementation also presents an ongoing risk of death or serious injury to Facebook users,” the complaint argues. The health data privacy issues open up the possibility for group users to be targeted for fraudulent treatment programs or to be discriminated against or harassed, according to the complaint.

In response to the FTC complaint, the House Committee on Energy and Commerce is now demanding a briefing with Facebook executives to review the company’s privacy policies and practices and to explain how it gathers users’ data.

Facebook is pushing back on the argument that its private groups are a PHR platform.

“Facebook is not an anonymous platform; real-name identity is at the center of the experience and always has been," a Facebook spokesman said in an email. "It's intentionally clear to people that when they join any group on Facebook, other members of that group can see that they are a part of that community and can see the posts they choose to share with that community. There is value in being able to know who you’re having a conversation within a group, and we look forward to briefing the committee on this.”

The issues raised in the complaint also have potential implications for healthcare providers who create or manage support groups on any social media platform.

“When you’re using any type of social media platform, or a public platform, you need to carefully review the terms and conditions as those generally will have a statement about what data might be stored, how it will be stored, and how it can be utilized,” Matt Fisher, a partner with Boston-based law firm Mirick O’Connell and chair of the firm’s health law group, told FierceHealthcare. “If use of the platform is free, there has to be some way the company is making money, and that’s most generally off of the fact that it’s going to claim the right to be able to take and utilize the data.”

Medical researchers often use Facebook groups as a recruitment tool for clinical trials as well, which raises privacy concerns, according to privacy advocates.

RELATED: HIMSS 2017: Social media posts trigger cyber concerns

This issue came to light last July when the leader of a private Facebook group for women with the BRCA gene, a gene mutation associated with a higher risk for breast cancer, became alarmed after learning that third parties could discover the names of people in the closed group as well as other information, according to CNBC. That group user contacted Trotter, who confirmed the security loophole. Facebook then publicly responded to say it had closed that loophole.

Facebook faces ongoing criticism and scrutiny about its privacy policies. The Washington Post reports that the company and the FTC are negotiating over a multibillion-dollar fine to settle the agency’s investigation into the social media giant’s privacy practices.

According to CNBC, the company is also dealing with fierce regulatory scrutiny, particularly in the European Union, where the new General Data Protection Regulation has expanded the definition of "personal data" far beyond social security numbers, to include the kind of data, like locations, names and genetic markers, that had been available publicly on members of Facebook's closed groups.