NHS trusts shared the private information of patients with Facebook, an investigation by The Observer has revealed.
A probe by the newspaper found a covert tracking tool was being used by the websites of 20 NHS trusts to collect browsing information and share it with the tech giant in a major breach of privacy.
The Meta Pixel tool passed on intimate details about patients to Facebook, including medical conditions, appointments and treatments without people's consent.
The data obtained can be used by the social media giant's parent company, Meta, for business purposes, including targeted advertising.
According to The Observer, 17 of the 20 NHS trusts found to be using Meta Pixel confirmed they had pulled the tracking tool from their websites over the weekend.
Many of the trusts said they installed the tracking pixels to monitor recruitment or charity campaigns and were not aware that they were sending patient data to Facebook.
One of the trusts, Buckinghamshire Healthcare NHS trust, previously said in its privacy policy that "confidential personal information about your health and care. would never be used for marketing purposes without your explicit consent".
In a statement to the Observer, the trust apologised to patients and said Meta Pixel had been "installed in relation to a recruitment campaign, and we were not aware that Meta was using this information for marketing purposes".
"Immediate action has been taken to remove it," a spokesperson from the trust added.
The Information Commissioner's Office (ICO) is investigating.
Earlier this month, Meta was fined 1.2 billion euro (£1 billion) and ordered to stop transferring user data from European users to its US servers.
The record fine was levied by Ireland's Data Protection Commission (DPC) after a three-year probe into the social media giant.
The DPC said Meta had breached part of the European GDPR (General Data Protection Regulation) rules in the way that it had moved data of Facebook users across borders.
It ordered Meta Ireland to "suspend any future transfer of personal data to the US within the period of five months" and also levied a record fine on the business "to sanction the infringement that was found to have occurred". Meta called the fine "unjustified".