Already facing a possible $2 billion dollar fine from the US government for earlier data privacy lapses, Facebook is once again under scrutiny over the leaky handling of personal healthcare data in its closed Facebook Groups.

Nathan Eddy explains the fresh new controversy embroiling Facebook in this story from Healthcare IT News:

Facebook has been accused of misleading users in its Group platform about who can see their private information, and argues Facebook did not disclose how much information could be visible to outsiders — including health information.

“Sharing of privately posted personal health information violates the law, but this serious problem with Facebook’s privacy implementation also presents an ongoing risk of death or serious injury to Facebook users,” the complaint states.

The report, written by CareSet Systems CTO and hacktivist Fred Trotter and healthcare attorney David Harlow, offers an in-depth review of the health data being shared, used and curated in these Facebook Groups.

The document argued that even though the social media site actively encourages users to share private health information in numerous ways, Facebook’s privacy and access control sets are inconsistently applied. In addition, the report said Facebook allowed substantial patient health information to leak and charges that as a personal health record (PHR) platform, is in violation of the FTC Health Breach Notification rule.

[…]

The report pointed out that in April 2018, using grouply.io, Trotter was able to download the real names for the entire membership list — more than 10,000 people — of a Facebook Group where all members are positive for the BRCA mutation. Most of the names on the downloaded list include email addresses, city of residences and employers of the women who participate in the Facebook Closed Group. Most of the names on the downloaded list include email addresses, city of residences and employers of the women who participate in the Facebook Closed Group.

By placing ads in a way to “nudge” users into joining these healthcare groups, Facebook can profit from the clinical details it data mines from its user base, according to the document. “Facebook makes money by offering its users a personal health record product, and then selling information it learns about its users with the PHR context,” the authors charged.