Andrea Downing speaks during the Stanford Medicine X Conference in Palo Alto, California, in September 2017.

This breast cancer advocate says she discovered a Facebook flaw that put the health data of millions at risk

Updated 9:39 PM ET, Fri March 6, 2020

(CNN)Imagine you have a highly sensitive medical condition that you want, or need, to keep secret. Maybe you've been diagnosed with HIV, or you're trying to kick an opioid addiction.

Desperate to get some advice or talk to a kindred spirit, you bare your soul in a Facebook support group for people with your health problem.
But what if your membership in a Facebook group you assumed was confidential wasn't private?
And what if marketers could easily learn about your diagnosis and your name, email address, location and other identifying information?
Andrea Downing, a tech project manager and breast cancer advocate, has spent the past two years trying to tell the world about this alarming prospect.
Downing is an administrator for a private Facebook group helping women who have a gene mutation that puts them at risk for breast and ovarian cancer.
In 2018, she began to worry that leaks of personal data such as the Cambridge Analytica scandal, which affected up to 87 million Facebook users, could happen in the health sphere.
"There is much more wrong here than is being reported," she remembers thinking. "I kept expecting others to be on top of that and nobody was."
Downing thought there could be a similar risk for the women in her BRCA Sisterhood group who shared deeply sensitive information, including pictures of their mastectomies. Because their group was classified on Facebook as closed, members' personal information was supposed to only be visible to other members.
Downing called a cybersecurity researcher named Fred Trotter, who says he confirmed her suspicion. Trotter said he found a loophole in the privacy settings for closed Facebook groups that would allow developers, marketers and others to download the membership lists of Facebook groups for thousands of diseases and conditions, from Alcoholics Anonymous to survivors of sexual assault.
Trotter said that without more information, it's difficult to prove whether a third party developer exploited the alleged vulnerability.
"In less than an hour, I had extremely personal information that could be used against these women," Trotter told CNN. "The kinds of things that they don't tell their husbands about in some cases."

They filed a complaint about Facebook with the FTC

Trotter believes Downing's discovery had the potential for a leak "probably several orders of magnitude larger than Cambridge Analytica."
In an interview, he said that because the vulnerability would have been present for all Facebook groups labeled "closed," it would have affected far more people than that scandal, in which the Cambridge Analytica political consulting firm obtained the the personal data of millions of Americans.
Further, Trotter argued that the alleged vulnerability might be worse due to the high value of healthcare data to companies, and the high potential for malicious actors to use sensitive information for illicit purposes.
To be clear, Trotter and Downing do not point to a specific smoking gun of a third party stealing and selling health data that users shared on Facebook at mass scale.
But they do allege that users' identifiable information related to specific medical diagnoses could have been accessible for a period of years by those with Facebook developer accounts.
Fred Trotter discusses cybersecurity with Downing during a conference in February 2020.
Trotter and Downing are still concerned about this, even though they say the alleged health data vulnerability was closed in 2018 when Facebook changed its settings. Facebook told The Verge in July 2018, "While we recently made a change to closed groups, there was not a privacy loophole." A Facebook spokeswoman acknowledged to CNN that web developers did have access to membership lists for all closed groups before the fix.
Facebook says that simply being a member of a closed health group doesn't constitute a health disclosure, and that it's investing in ways to give its users clearer information about group privacy settings, particularly with regard to health groups.
Downing and Trotter have filed a complaint with the Federal Trade Commission, arguing that Facebook had an obligation to protect membership lists for health groups and that it failed to disclose this alleged vulnerability to its users.
If the FTC found that Facebook violated its health rules, the complaint could put Facebook on the hook for billions in potential fines.
It also raises troubling questions about the security of users' personal health information on the social platform -- and beyond.

It all started because Downing wanted to help women at risk for cancer

In a way, Downing's journey to becoming a health privacy crusader began many years ago -- when she was three years old and her mother was diagnosed with a hereditary cancer.
"Many of my earliest memories were not knowing whether my mom would live or die," she said.
Her mother survived.
In 2004, after graduating from the University of Texas at Austin, Downing moved to San Francisco and took a job at Salesforce, a cloud computing service.