Privacy experts skeptical of Facebook's moves to protect sensitive health information

Facebook is making privacy changes to its platform when it comes to users discussing health conditions or sharing health information in closed groups.

Among the changes: The company will now let people post sensitive health-related information anonymously to Facebook Groups, a pivot away from the company’s traditional approach requiring users to post under their real names. Announced during Facebook’s annual developer conference Tuesday, Facebook founder Mark Zuckerberg also said the social media platform will separate groups that are dedicated to health issues with a special “health support group" designation. In these groups, users will be able to ask group administrators to post questions on their behalf. 

The moves follow a complaint filed with the Federal Trade Commission (FTC) back in January and made public in February that closed online support groups on Facebook—where individuals discuss sensitive health issues ranging from cancer treatments to living with bipolar disorder to addiction issues—were not as private as users had assumed.

But privacy experts and patient advocates say these changes do not go far enough to protect users’ personal health information or to ensure that the data users upload will not be collected or used. 

“It’s too little too late. It doesn’t address some of the fundamental issues that the design and the use of the platform have created,” healthcare lawyer David Harlow, principal of The Harlow Group, told FierceHealthcare. Harlow was involved with the FTC complaint that was filed against Facebook, along with health IT and cybersecurity researcher Fred Trotter and patient advocates who have used closed Facebook groups.

The tech giant has faced significant criticism for failing to protect the sensitive health information users uploaded and has faced claims that it exposed that information to the public. In the FTC complaint, IT researchers and patient advocates argued that Facebook allowed targeting of users’ identifiable health information for its own commercial purposes—specifically allowing advertisers to connect with users with an interest in specific clinical conditions.

RELATED: Complaint to FTC accuses Facebook of exposing sensitive health data in groups

In a statement emailed to FierceHealthcare, a Facebook spokesman said, "We recognize that privacy and safety are particularly important for people dealing with health conditions, which is why we are committed to making improvements in this space. We are starting with a feature that gives people a more private way to share, however, this is the first of many updates that we will be making to address this specific audience’s needs. We will continue to work with community leaders, health and privacy experts, and members to help ensure that we are designing the right set of features."

Even with the changes announced by Facebook this week, the name of the user asking the anonymous question is known to the group moderator which makes the users’ information accessible in some way, Harlow said. “The content that the group posts are still being used to generate advertising income, so it’s being used in some way other than the purposes of the conversation. There are a variety of other ways this information is being used or exposed, at least internally within the company, and possibly hackable by others.”

The issue of Facebook’s privacy policies with regard to sensitive health information came to light last July when the leader of a private Facebook group for women with the BRCA gene, a gene mutation associated with a higher risk for breast cancer, became alarmed after learning that third parties could discover the names of people in the closed group as well as other information. That group user contacted Trotter, who confirmed the security loophole. Facebook then publicly responded to say it had closed that loophole.

Many patient advocates and privacy lawyers voiced skepticism of the privacy changes on Twitter. Matthew Fisher, a partner with Boston-based law firm Mirick O’Connell and chair of the firm’s health law group, questioned whether the changes were more cosmetic than substantial.

The Department of Health and Human Services (HHS) recently clarified that healthcare providers are not liable for any subsequent use or disclosure of patient data by a third-party app as long as the app developer is not a business associate of the provider. HHS offered guidance to answer common questions about the use of third-party apps under the Health Insurance Portability and Accountability Act (HIPAA). 

“Providers should be concerned for their patients and for the public,” Harlow said, even if the exposure of patients’ sensitive health information on a social media platform is not a HIPAA liability for providers.

RELATED: Collection, use of consumer data puts sensitive health information at risk, groups say

“It’s not a HIPAA problem, it’s a data privacy problem. The FTC has a health data breach rule which may be applicable in these circumstances,” he said, adding, “It would be better to have a broader uniformed set of rules and regulations not specific to a type of data or type of platform that would be more protective of individuals.”

The topic of consumer data privacy is heating up. An investigation by The Wall Street Journal published in February revealed that apps tracking sensitive information are sending those data back to Facebook, unbeknownst to the people using those apps. The Washington Post also reported that pregnancy apps tracking users health data share those data with the users’ employers and health insurers.

Facebook is not the only company coming under scrutiny, and momentum is building for federal privacy legislation that would rein in the ability of technology companies to collect and use people’s personal data. Many privacy advocates would like to see the U.S. adopt more uniform privacy policies similar to the General Data Protection Regulation in the EU or a stricter data privacy law that was enacted in California and will go into effect next year.

“Both of those are more comprehensive and more stringent protections than what we have now, which is a patchwork of regulation which varies from state to state,” Harlow said.

However, whether federal legislation should override state laws is a key area of debate between congressional Democrats and Republicans.