The hole that Facebook has been digging for itself appears to have gotten a little bit deeper.

First it was the Cambridge Analytica scandal (which recently turned out to have affected a lot more users than originally claimed). Then it was Facebook collecting call data from Android phones. The latest revelation about Facebook’s data use brings things to a whole new level of personal.

CNBC uncovered that Facebook sought anonymized medical data from major U.S. hospitals about their patients for a research project. This project would have seen health information matched with patients’ Facebook profiles. The system was in the “planning phase” as recently as March 2018, but has been on hold while Facebook attempts to sweep up the ashes left by the Cambridge Analytica dumpster fire.

A white female doctor discussing medical data with a white female patient.
“Don’t worry, this diagnosis is completely confidential. Except from Facebook. Facebook knows everything.” Image Credit: National Cancer Institute (NCI)

Here’s how CNBC describes the pitch for the system:

Facebook’s pitch, according to two people who heard it and one who is familiar with the project, was to combine what a health system knows about its patients (such as: person has heart disease, is age 50, takes 2 medications and made 3 trips to the hospital this year) with what Facebook knows (such as: user is age 50, married with 3 kids, English isn’t a primary language, actively engages with the community by sending a lot of messages).

The social media platform has been giving out contradictory answers about how exactly this information would be used. The original example given to CNBC was that the system might recommend a nurse check in on an elderly patient after surgery if  Facebook suggested they had few connections who would do so.

Yet, in an email to The Verge, a Facebook spokesperson said “The project would not attempt to provide health recommendations for specific people. Instead the focus would be on producing general insights” for medical professionals.

Maybe we’re just a bit suspicious of Facebook lately, but that sounds a lot like backpedaling.

Either way, it’s not clear that any use of this data would meet the privacy standards required by the 1996 Health Insurance Portability and Accountability Act (HIPAA), which mandates patients’ medical data remain private and secure. Significantly, HIPAA requires patients give their consent for use of any of their medical data; yet one of CNBC’s sources said that consent had not yet come up in Facebook’s discussions.

There’s also a potential HIPAA transgression here in the sense of data security. Facebook would have allegedly matched the anonymous health data with patients’ Facebook profiles using a technique called “hashing.” This method scrambles data, such as names, using a specific algorithm, and then searches for matches among the sets of coded information. For example, if Kathy Zuckhater’s name was scrambled to “hu78lY A34olu7k9,” the scramble of characters wouldn’t be immediately apparent as her name, but they would appear as the same on both her Facebook profile and her medical data.

Yet as Fortune points out, this method is a “pseudonymization” technique, rather than an anonymization; it would technically be possible to reverse-engineer the algorithm and decode the information used. That leaves extraordinarily private information open to hackers, who have targeted medical data in the past.

Perhaps the most wearying aspect of this latest Facebook revelation is that, unlike its previous data-use scandals, this project appeared to have good intentions. Indeed, the U.S. Centers of Medicare and Medicaid Services are similarly exploring how to share patients’ health data with third party services safely, in order to improve and streamline care.

But once again, Facebook appears to have blundered into this research without considering the significant privacy implications of using data from not one, but two private sources. Yes, this project was only in the early planning stages, and no one’s data had been accessed yet; but it’s about time Facebook started to build better privacy into the platform from the get-go.